Programmable intelligent search memory enabled secure dram

ABSTRACT

Systems comprising a processor and a dynamic random access memory (DRAM). The DRAM comprises a programmable intelligent search memory (PRISM).

RELATED APPLICATIONS

This application is a continuation of application Ser. No. 14/303,254,which is a continuation-in-part of the application Ser. No. 13/472,042,filed May 15, 2012, which is continuation of U.S. patent applicationSer. No. 13/172,276, filed Jun. 29, 2011 (now U.S. Pat. No. 8,200,599issued Jun. 12, 2012), which is a continuation of U.S. patentapplication Ser. No. 13/029,782, filed Feb. 17, 2011 (now U.S. Pat. No.7,996,348 issued Aug. 9, 2011), which is a continuation of U.S. patentapplication Ser. No. 11/952,043, filed Dec. 6, 2007 (now U.S. Pat. No.7,912,808 issued Mar. 22, 2011), which claims priority to ProvisionalApplication Ser. No. 60/965,267 filed on Aug. 17, 2007 entitled“Embedded programmable intelligent search memory”, ProvisionalApplication Ser. No. 60/965,170 filed on Aug. 17, 2007 entitled “100Gbps security and search architecture using programmable intelligentsearch memory”, Provisional Application Ser. No. 60/963,059 filed onAug. 1, 2007 entitled “Signature search architecture for programmableintelligent search memory”, Provisional Application Ser. No. 60/961,596filed on Jul. 23, 2007 entitled “Interval symbol architecture forprogrammable intelligent search memory”, Provisional Application Ser.No. 60/933,313 filed on Jun. 6, 2007 entitled “FSA context switcharchitecture for programmable intelligent search memory”, ProvisionalApplication Ser. No. 60/933,332 filed on Jun. 6, 2007 entitled “FSAextension architecture for programmable intelligent search memory”,Provisional Application Ser. No. 60/930,607 filed on May 17, 2007entitled “Compiler for programmable intelligent search memory”,Provisional Application Ser. No. 60/928,883 filed on May 10, 2007entitled “Complex symbol evaluation for programmable intelligent searchmemory”, Provisional Application Ser. No. 60/873,632 filed on Dec. 8,2006 entitled “Programmable intelligent search memory”, ProvisionalApplication Ser. No. 60/873,889 filed on Dec. 8, 2006 entitled “Dynamicprogrammable intelligent search memory”, which are all incorporatedherein by reference in their entirety as if fully set forth herein.

This application is also related to U.S. patent application Ser. No.11/952,028 filed on Dec. 6, 2007 entitled “Embedded programmableintelligent search memory”, U.S. patent application Ser. No. 11/952,103filed on Dec. 6, 2007 entitled “Signature search architecture forprogrammable intelligent search memory”, U.S. patent application Ser.No. 11/952,104 filed on Dec. 6, 2007 entitled “Interval symbolarchitecture for programmable intelligent search memory”, U.S. patentapplication Ser. No. 11/952,108 on Dec. 6, 2007 entitled “FSA contextswitch architecture for programmable intelligent search memory”, U.S.patent application Ser. No. 11/952,110 filed on Dec. 6, 2007 entitled“FSA extension architecture for programmable intelligent search memory”,U.S. patent application Ser. No. 11/952,111 filed on Dec. 6, 2007entitled “Compiler for programmable intelligent search memory”, U.S.patent application Ser. No. 11/952,112 filed on Dec. 6, 2007 entitled“Complex symbol evaluation for programmable intelligent search memory”,U.S. patent application Ser. No. 11/952,114 filed on Dec. 6, 2007entitled “Programmable intelligent search memory”, U.S. patentapplication Ser. No. 11/952,117, filed Dec. 6, 2007 entitled “DynamicProgrammable Intelligent Search Memory” which are all co-pending U.S.patent applications of common ownership. All of the foregoing areincorporated herein by reference in their entirety as if fully set forthherein.

BACKGROUND OF THE INVENTION

This invention relates generally to memory technology and in particularto a new high performance intelligent content search memories forsignature search, regular expression search and a compiler for it.

Many modern applications depend on fast information search andretrieval. With the advent of the world-wide-web and the phenomenalgrowth in its usage, content search has become a critical capability. Alarge number of servers get deployed in web search applications due tothe performance limitations of the state of the art microprocessors forregular expression driven search.

There have been significant research and development resources devotedto the topic of searching of lexical information or patterns in strings.Regular expressions have been used extensively since the mid 1950s todescribe the patterns in strings for content search, lexical analysis,information retrieval systems and the like. Regular expressions werefirst studied by S. C. Kleene in mid-1950s to describe the events ofnervous activity. It is well understood in the industry that regularexpression (RE) can also be represented using finite state automata(FSA). Non-deterministic FSA (NFA) and deterministic FSA (DFA) are twotypes of FSAs that have been used extensively over the history ofcomputing. Rabin and Scott were the first to show the equivalence of DFAand NFA as far as their ability to recognize languages in 1959. Ingeneral a significant body of research exists on regular expressions.Theory of regular expressions can be found in “Introduction to AutomataTheory, Languages and Computation” by Hoperoft and Ullman and asignificant discussion of the topics can also be found in book“Compilers: Principles, Techniques and Tools” by Aho, Sethi and Ullman.

Computers are increasingly networked within enterprises and around theworld. These networked computers are changing the paradigm ofinformation management and security. Vast amount of information,including highly confidential, personal and sensitive information is nowbeing generated, accessed and stored over the network. This informationneeds to be protected from unauthorized access. Further, there is acontinuous onslaught of spam, viruses, and other inappropriate contenton the users through email, web access, instant messaging, web downloadand other means, resulting in significant loss of productivity andresources.

Enterprise and service provider networks are rapidly evolving from10/100 Mbps line rates to 1 Gbps, 10 Gbps and higher line rates.Traditional model of perimeter security to protect information systemspose many issues due to the blurring boundary of an organization'sperimeter. Today as employees, contractors, remote users, partners andcustomers require access to enterprise networks from outside, aperimeter security model is inadequate. This usage model poses serioussecurity vulnerabilities to critical information and computing resourcesfor these organizations. Thus the traditional model of perimetersecurity has to be bolstered with security at the core of the network.Further, the convergence of new sources of threats and high line ratenetworks is making software based perimeter security to stop theexternal and internal attacks inadequate. There is a clear need forenabling security processing in hardware inside core or end systemsbeside a perimeter security as one of the prominent means of security tothwart ever increasing security breaches and attacks.

FBI and other leading research institutions have reported in recentyears that over 70% of intrusions in organizations have been internal.Hence a perimeter defense relying on protecting an organization fromexternal attacks is not sufficient as discussed above. Organizations arealso required to screen outbound traffic to prevent accidental ormalicious disclosure of proprietary and confidential information as wellas to prevent its network resources from being used to proliferate spam,viruses, worms and other malware. There is a clear need to inspect thedata payloads of the network traffic to protect and secure anorganization's network for inbound and outbound security.

Data transported using TCP/IP or other protocols is processed at thesource, the destination or intermediate systems in the network or acombination thereof to provide data security or other services likesecure sockets layer (SSL) for socket layer security, Transport layersecurity, encryption/decryption, RDMA, RDMA security, application layersecurity, virtualization or higher application layer processing, whichmay further involve application level protocol processing (for example,protocol processing for HTTP, HTTPS, XML, SGML, Secure XML, other XMLderivatives, Telnet, FTP, IP Storage, NFS, CIFS, DAFS, and the like).Many of these processing tasks put a significant burden on the hostprocessor that can have a direct impact on the performance ofapplications and the hardware system. Hence, some of these tasks need tobe accelerated using dedicated hardware for example SSL, or TLSacceleration. As the usage of XML increases for web applications, it iscreating a significant performance burden on the host processor and canalso benefit significantly from hardware acceleration. Detection ofspam, viruses and other inappropriate content require deep packetinspection and analysis. Such tasks can put huge processing burden onthe host processor and can substantially lower network line rate. Hence,deep packet content search and analysis hardware is also required.

Internet has become an essential tool for doing business at small tolarge organizations. HTML based static web is being transformed into adynamic environment over last several years with deployment of XML basedservices. XML is becoming the lingua-franca of the web and its usage isexpected to increase substantially. XML is a descriptive language thatoffers many advantages by making the documents self-describing forautomated processing but is also known to cause huge performanceoverhead for best of class server processors. Decisions can be made byprocessing the intelligence embedded in XML documents to enable businessto business transactions as well as other information exchange. However,due to the performance overload on the best of class server processorsfrom analyzing XML documents, they cannot be used in systems thatrequire network line rate XML processing to provide intelligentnetworking.

There is a clear need for acceleration solutions for XML documentparsing and content inspection at network line rates which areapproaching 1 Gbps and 10 Gbps, to realize the benefits of a dynamic webbased on XML services.

Regular expressions can be used to represent the content search stringsfor a variety of applications like those discussed above. A set ofregular expressions can then form a rule set for searching for aspecific application and can be applied to any document, file, message,packet or stream of data for examination of the same. Regularexpressions are used in describing anti-spam rules, anti-virus rules,anti-spyware rules, anti-phishing rules, intrusion detection rules,intrusion prevention rules, extrusion detection rules, extrusionprevention rules, digital rights management rules, legal compliancerules, worm detection rules, instant message inspection rules, VOIPsecurity rules, XML document security and search constructs, genetics,proteomics, XML based protocols like XMPP, web search, database search,bioinformatics, signature recognition, speech recognition, web indexingand the like. These expressions get converted into NFAs or DFAs forevaluation on a general purpose processor. However, significantperformance and storage limitations arise for each type of therepresentation. For example an N character regular expression can takeup to the order of 2^(N) memory for the states of a DFA, while the samefor an NFA is in the order of N. On the other hand the performance forthe DFA evaluation for an M byte input data stream is in the order of Mmemory accesses and the order of (N*M) processor cycles for the NFArepresentation on modern microprocessors.

When the number of regular expressions increases, the impact on theperformance deteriorates as well. For example, in an application likeanti-spam, there may be hundreds of regular expression rules. Theseregular expressions can be evaluated on the server processors usingindividual NFAs or DFAs. It may also be possible to create a compositeDFA to represent the rules. Assuming that there are X REs for anapplication, then a DFA based representation of each individual RE wouldresult up to the order of (X*2^(N)) states however the evaluation timewould grow up to the order of (X*N) memory cycles. Generally, due to thepotential expansion in the number of states for a DFA they would need tobe stored in off chip memories. Using a typical access time latency ofmain memory systems of 60 ns, it would require about (X*60 ns*N*M) timeto process an X RE DFA with N states over an M byte data stream. Thiscan result in tens of Mbps performance for modest size of X, N & M. Suchperformance is obviously significantly below the needs of today'snetwork line rates of 1 Gbps to 10 Gbps and beyond. On the other hand,if a composite DFA is created, it can result in an upper bound ofstorage in the order of 2^(N)*^(X) which may not be within physicallimits of memory size for typical commercial computing systems even fora few hundred REs. Thus the upper bound in memory expansion for DFAs canbe a significant issue. Then on the other hand NFAs arenon-deterministic in nature and can result in multiple state transitionsthat can happen simultaneously. NFAs can only be processed on a state ofthe art microprocessor in a scalar fashion, resulting in multipleexecutions of the NFA for each of the enabled paths. X REs with Ncharacters on average can be represented in the upper bound of (X*N)states as NFAs. However, each NFA would require M iterations for anM-byte stream, causing an upper bound of (X*N*M*processor cycles perloop). Assuming the number of processing cycles are in the order of 10cycles, then for a best of class processor at 4 GHz, the processing timecan be around (X*N*M*2.5 ns), which for a nominal N of 8 and X in tenscan result in below 100 Mbps performance. There is a clear need tocreate high performance regular expression based content searchacceleration which can provide the performance in line with the networkrates which are going to 1 Gbps and 10 Gbps.

The methods for converting a regular expression to Thompson's NFA andDFA are well known. The resulting automata are able to distinguishwhether a string belongs to the language defined by the regularexpression however it is not very efficient to figure out if a specificsub-expression of a regular expression is in a matching string or theextent of the string. Tagged NFAs enable such queries to be conductedefficiently without having to scan the matching string again. For adiscussion on Tagged NFA refer to the paper “NFAs with TaggedTransitions, their Conversion to Deterministic Automata and Applicationto Regular Expressions”, by Ville Laurikari, Helsinki University ofTechnology, Finland.

SUMMARY OF THE INVENTION

Advent of cloud computing particularly public, hybrid, enterprise andcommunity cloud networks affords significant advantages in terms ofinfrastructure scalability and availability. However, these networksalso are exposed to significant new security vulnerabilities. The cloudnetworking systems need to be better secured from the emerging threats.Dynamic random access memories are universally used in various systemsin the cloud networks. This patent application enables creating a secureDRAM to enable a unified security model for the cloud networks.

A programmable intelligent search memory (PRISM) of my invention is amemory technology that supports orders of magnitude larger number ofregular expressions in a single chip for current and emerging contentsearch applications. PRISM memory supports FSAs of a number of states‘n’ which may be any integer like 8, 16, 32 and the like. However, attimes there may be a need to support regular expressions with number ofstates which are more than that represented in a single PRISM FSA. Forsuch cases it may be necessary to allow multiple PRISM FSAs to becoupled together to support the bigger REs. Further, there are certainapplications where the rules are specified as a group of rules that areevaluated together and there may be nesting amongst the rule groups.Such applications may have groups of rules that may be evaluatedsimultaneously or one after the other and need a means of communicatingfrom one FSA to another. My invention describes an architecture thatenables creation of extensible FSAs to support needs such as the onesdescribed above and the like. Modern programming languages and Operatingsystems like Perl and POSIX allow for regular expressions with aninterval or a range. For example if in a regular expression the symbol‘a’ appears 5 consecutive times, then it is possible to represent thatas ‘a[5]’. In general such expressions can be ‘a[x,y]’, which meanssymbol ‘a’ must appear in the expression from ‘x’ to ‘y’ times or‘a[x,]’ which means the symbol ‘a’ must appear at least ‘x’ times forthis expression to be valid or ‘a[x]’ which means the symbol ‘a’ mustappear exactly ‘x’ times for this expression to be valid. My inventionalso describes an architecture that enables the creation of such complexregular expressions with interval representation in an efficient waywithout using up a large number of states depending on the intervalrange ‘x’ and ‘y’ in the expressions like ‘a[x,y]’ or ‘a[x,]’ or ‘a[x]’or the like. There is a need for creating a compiler flow that cantarget converting regular expression rules in to a form that PRISM basedsearch engines can use to process input data for content specified bythe regular expression rules. My invention describes a compiler forregular expressions that can be used for PRISM.

Many applications also represent content search rules as a set ofsignature patterns like those used for anti-virus application. Modernanti-virus solutions have in the order of 100,000 or more signatures. Abig portion of these signatures are typically represented as a string ofcharacters. However, a smaller portion of the signatures may alsocomprise of regular expressions. Bloom filters have been suggested inliterature as a way to test set membership of any content within a listof large fixed patterns or signatures. Bloom filters cannot handleregular expressions and hence for applications like anti-virus, othersolutions have to be used for those signatures with regular expressionswhich may be a relatively large number from a composite DFA basedrealization for high performance. My invention describes a way toevaluate a large number of signature patterns comprising fixed patternsand regular expression based patterns like those in anti-virusapplications in a compact and efficient way.

I describe a FSA extension architecture, a complex regular expressionswith interval architecture, signature recognition architecture and ahigh performance Programmable Intelligent Search Memory™ (PRISM™) forsearching content with regular expressions as well as other patternsearches like signatures. I describe an architecture that can be used toachieve security and search performance from below 1 Gbps to over 100Gbps using PRISM.

Programmable intelligent search memory of this patent can have many useswherever any type of content needs to be searched for example innetworking, storage, security, web search applications, XML processing,bio informatics, signature recognition, genetics, proteomics, speechrecognition, database search, enterprise search and the like. Theprogrammable intelligent search memory of my invention may be embodiedas independent PRISM memory integrated circuits working with or may alsobe embodied within microprocessors, multi-core processors, networkprocessors, TCP Offload Engines, network packet classification engines,protocol processors, regular expression processors, content searchprocessors, network search engines, content addressable memories,mainframe computers, grid computers, servers, workstations, personalcomputers, laptops, notebook computers, PDAs, handheld devices, cellularphones, wired or wireless networked devices, switches, routers,gateways, unified threat management devices, firewalls, VPNs, intrusiondetection and prevention systems, extrusion detection systems,compliance management systems, wearable computers, data warehouses,storage area network devices, storage systems, data vaults, chipsets andthe like or their derivatives or any combination thereof.

The regular expressions may optionally be tagged to detect subexpression matches beside the full regular expression match. The regularexpressions are converted into equivalent NFAs and optionally intotagged NFAs. The PRISM memory also optionally provides ternary contentaddressable memory functionality. So fixed string searches mayoptionally be programmed into the PRISM™ memory of my invention. PRISMmemory of this invention enables a very efficient and compactrealization of intelligent content search using FSA to meet the needs ofcurrent and emerging content search applications. For clarity, as usedin this patent the terms “programmable intelligent search memory”,“search memory”, “content search memory”, or “PRISM memory” are usedinterchangeably and have the same meaning unless specifically noted.Further for clarity, as used in this patent the term “memory” when usedindependently is used to refer to random access memory or RAM or DynamicRAM (DRAM) or DDR or QDR or RLDRAM or RDRAM or FCRAM or Static RAM(SRAM) or read only memory (ROM) or FLASH or cache memory or the like orany future derivatives of such memories.

The PRISM memory performs simultaneous search of regular expressions andother patterns (also referred to as “rules” or “regular expressionrules” or “pattern search rules” or “patterns” or “regular expressions”in this patent) against the content being examined. The content may bepresented to the search memory by a companion processor or PRISMcontroller or content stream logic or a master processor or the likewhich may be on the same integrated circuit chip as the PRISM memory ormay be on a separate device. The content to be searched may be streamingcontent or network packets or data from a master processor or data froma disk or a file or reside in on-chip memory or off-chip memory orbuffers or the like from which a controller may present it to the searchmemory arrays for examination. The content search memory arrays mayinitially be configured with the regular expression rules converted intoNFAs or tagged NFAs and optionally other pattern search rules. Idescribe a compiler for converting regular expressions into rulessupported by PRISM. I also describe architecture for compact, efficientand high speed implementation for programming, compiling and searching alarge number of signature patterns for applications like anti-virus.PRISM memory may optionally comprise of configuration control logicwhich may be distributed or central or a combination thereof. Theconfiguration control logic may optionally address PRISM memory cells toread and/or write FSA rules or other patterns to be searched. Once thePRISM memory is setup with all the related information about the NFAsand other rules, the content to be examined can be presented to thePRISM memory. PRISM memory provides capabilities to update rules orprogram new rules or additional rules, in line with the contentexamination within a few clock cycles unlike the current regularexpression processors which require the content evaluation to stop forlong periods of time until large tables of composite DFAs are updated inan external or internal memory. Typically the content is presented as astream of characters or symbols which get examined against the rules inthe PRISM memory simultaneously and whenever a rule is matched the PRISMmemory array provides that indication as a rule match signal which isinterpreted by the control logic of the PRISM. There may be multiplerule matches simultaneously in which case a priority encoder which mayalso be programmable is used to select one or more matches as thewinner(s). The priority encoder may then provide a tag or an address oran action or a combination that may have already been programmed in thepriority encoder which may be used to look-up related data fromassociated on-chip or off-chip memory that may optionally determine thenext set of actions that may need to be taken on the content beingexamined. For example, in case of a security application if a set ofregular expressions are defined and programmed for spam detection, thenif one or more of these rules when matched can have action(s) associatedwith them that the message or content may need to quarantined for futureexamination by a user or it can have an action that says the contentshould be dropped or enable a group of regular expressions in the PRISMmemory to be applied to the content or the like depending on thespecific application. The PRISM memory architecture comprises of meansor circuits or the like for programming and reprogramming of the FSArules and optionally CAM signatures and masks. It further comprises ofmeans or circuits or the like to stream the content to be searched tothe PRISM memory arrays. It may further comprise of priority encoderwhich may optionally be programmable. The PRISM memory may optionallycomprise of random access memory (on-chip or off-chip) which is used tostore actions associated with specific rule matches. The PRISM memorymay optionally comprise of database extension ports which may beoptionally used when the number of rules is larger than those that mayfit in a single integrated circuit chip. The PRISM memory may optionallycomprise of clusters of PRISM memory cells that enable a group of FSArules to be programmed per cluster. The PRISM memory clusters mayoptionally comprise of context memory for fast storage and retrieval ofFSA states for examination of content that belongs to different streamsor contexts or flows or sessions or the like as described below referredto as context memory. For clarity, context memory or global contextmemory or local context memory or cluster context memory, all compriseof memory like random access memory or RAM or Dynamic RAM (DRAM) or DDRor QDR or RLDRAM or RDRAM or FCRAM or Static RAM (SRAM) or read onlymemory (ROM) or FLASH or cache memory or the like or any futurederivatives of such memories as discussed above. The PRISM memory mayoptionally comprise of global context memory beside the local clustercontext memory for storage and retrieval of FSA states of differentcontexts and enable supporting a large number of contexts. The clustercontext memory may optionally cache a certain number of active contextswhile the other contexts may be stored in the global context memory.There may optionally be off-chip context memory as well, which can beused to store and retrieve FSA states for much larger number ofcontexts. The PRISM memory may optionally comprise of cache or contextcontrol logic (also referred as “context controller”) that manages thecluster, global or external context memory/cache or a combinationthereof. The cache or context control logic may optionally bedistributed per cluster or may be central for the PRISM memory or anycombination thereof. The PRISM controller or the content stream logicthat streams the content to be searched may be provided with anindication of the context of the content being searched or it may detectthe context of the content or a combination thereof, and may optionallydirect the context memory and associated control logic i.e. the contextcontroller to get the appropriate context ready. Once the context memoryhas the required context available an indication may be provided toPRISM configuration control logic that it may program or load thecontext states in the PRISM memory. The PRISM configuration controllogic (also referred as “configuration controller” in this patent) mayoptionally first save the current context loaded in the set of activeFSA blocks before loading the new context. The configurationcontroller(s) and the context controller(s) may thus optionally storeand retrieve appropriate contexts of the FSAs and start searching thecontent against the programmed rules with appropriate context states ofthe FSAs restored. Thus PRISM memory may optionally dynamicallyreconfigure itself at run-time based on the context of the content orthe type of the application or the like or a combination thereofenabling run-time adaptable PRISM memory architecture. The contexts asreferred to in this patent may, as examples without limitation, berelated to specific streams, or documents, or network connections ormessage streams or sessions or the like. The PRISM memory may processcontent from multiple contexts arriving in data groups or packets or thelike. For content search in applications where the content belonging toone context may arrive interspersed with content from other contexts, itmay be important to maintain the state of the content searched for acontext up to the time when content from a different context getssearched by PRISM memory. The context memory or cache with theassociated controllers as described in this patent enable handling ofmultiple contexts.

For clarification, the description in this patent application uses termNFA to describe the NFAs and optionally, when tagging is used in regularexpressions, to describe tagged NFA unless tagged NFA is specificallyindicated. All NFAs may optionally be tagged to form tagged NFAs, hencethe description is not to be used as a limiter to apply only to taggedNFAs. The descriptions of this patent are applicable for non-tagged NFAsas well and tagging is an optional function which may or may not beimplemented or used, and thus non-tagged NFAs are covered by theteachings of this patent as will be appreciated by one skilled in theart. At various places in this patent application the term contentsearch memory, content search memory, search memory and the like areused interchangeably for programmable intelligent search memory or PRISMmemory. These usages are meant to indicate the content search memory orPRISM memory of this invention without limitation.

Berry and Sethi in their paper “From Regular Expressions toDeterministic Automata” Published in Theoretical Computer Science in1986, showed that regular expressions (REs) can be represented by NFAssuch that a given state in the state machine is entered by one symbol,unlike the Thompson NFA. Further, the Berry-Sethi NFAs are epsilon-free.A ‘V’ term RE can be represented using ‘V+1’ states NFA usingBerry-Sethi like NFA realization method. The duality of Berry-Sethimethod also exists where all transitions that lead the machine out of astate are dependent on the same symbol. This is shown in the paper “ATaxonomy of finite automata construction algorithms” by Bruce Watsonpublished in 1994 in section 4.3. I show a method of creating NFA searcharchitecture in a memory leveraging the principles of Berry-Sethi's NFArealization and the dual of their construct. The NFA search memory isprogrammable to realize an arbitrary regular expression using thecompiler flow of this invention to convert a regular expression to thatusable by PRISM. The compiler of this invention follows the principlesof Berry-Sethi FSA construction to convert regular expressions into anFSAs and creates various data structures that are required for PRISM tooperate as a programmable regular expressions engine.

This PRISM memory and the compiler for PRISM of this patent may be usedfor many applications like those for detecting intrusions, extrusionsand confidential information disclosure (accidental or malicious orintended), regulatory compliance search using hardware for regulationslike HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley act, California securitybills, security bills of various states and/or countries and the like,deep packet inspection, detecting spam, detecting viruses, detectingworms, detecting spyware, detecting digital rights managementinformation, instant message inspection, URL matching, applicationdetection, detection of malicious content, and other content, policybased access control as well as other policy processing, content basedswitching, load balancing, virtualization or other application layercontent inspection for application level protocol analysis andprocessing for web applications based on HTTP, XML and the like andapplying specific rules which may enable anti-spam, anti-virus, othersecurity capabilities like anti-spyware, anti-phishing and the likecapabilities. The content inspection memory may be used for detectingand enforcing digital rights management rules for the content. Thecontent inspection memory may also be used for URL matching, stringsearches, genetic database searches, proteomics, bio informatics, webindexing, content based load balancing, sensitive information searchlike credit card numbers or social security numbers or healthinformation or the like.

Classification of network traffic is another task that consumes up tohalf of the processing cycles available on packet processors leaving fewcycles for deep packet inspection and processing at high line rates. Thedescribed content search memory can significantly reduce theclassification overhead when deployed as companion search memory topacket processors or network processors or TOE or storage networkprocessors or the like.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 a illustrates Thompson's NFA (prior art)

FIG. 1 b illustrates Berry-Sethi NFA (prior art)

FIG. 1 c illustrates DFA (prior art)

FIG. 2 a illustrates a left-biased NFA and state transition table (priorart)

FIG. 2 b illustrates a right-biased NFA and state transition table(prior art)

FIG. 3 a illustrates state transition controls

FIG. 3 b illustrates configurable next state tables per state

FIG. 4 a illustrates state transition logic (STL) for a state

FIG. 4 b illustrates a state logic block

FIG. 5 a illustrates state transition logic (STL) for a state inLeft-Biased FSA

FIG. 5 b illustrates state transition logic (STL) for a state inRight-Biased FSA

FIG. 6A illustrates Right-biased Tagged NFA Rule block in PRISM

FIG. 6B illustrates Left-biased Tagged NFA Rule block in PRISM

FIG. 7 illustrates PRISM Block Diagram

FIG. 7 b illustrates PRISM Memory Cluster (PMC) Array

FIG. 8 a illustrates PRISM Memory Cluster Block Diagram

FIG. 8 b illustrates PRISM Memory Cluster Detailed Block Diagram

FIG. 9 illustrates PRISM search compiler flow (full+incremental ruledistribution)

FIG. 10 illustrates PRISM FSA Compiler flow

FIG. 11 illustrates PRISM Row-Wise FSA Extension

FIG. 11A illustrates PRISM Rule Group FSA Extension.

FIG. 12 illustrates PRISM Row-Wise FSA Extension Example #1

FIG. 13 illustrates PRISM Row-Wise FSA Extension Example #2

FIG. 14 illustrates PRISM Column-Wise FSA Extension

FIG. 15 illustrates PRISM FSA Extension Example #1

FIG. 16 a illustrates Column-Wise PRISM FSA Extension Example

FIG. 16 b illustrates Row-Wise and Column-Wise PRISM FSA ExtensionExample

FIG. 17A illustrates PRISM FSA without Interval Symbol

FIG. 17B illustrates PRISM FSA with Interval Symbol

FIG. 17C illustrates PRISM FSA Interval Symbol State Counter Block

FIG. 18A illustrates State transition logic (STL) for a state in PRISMwith interval symbol

FIG. 18B illustrates a State Logic Block for a state in PRISM withinterval symbol

FIG. 19 illustrates PRISM Search Engine with Interval Symbol

FIG. 20 illustrates PRISM Signature Compiler Flow

FIG. 21 illustrates PRISM Signature Search Flow

FIG. 22 illustrates Signature Search Engine for variable lengthsignatures

FIG. 23 illustrates Signature Search Engine using PRISM FSA for variablelength signatures

FIG. 24 illustrates PRISM integrated in a DRAM

FIG. 25 illustrates PRISM integrated in a DRAM in second configuration

FIG. 26 illustrates PRISM and cryptographic processing integrated in aDRAM

FIG. 27 illustrates a regular expression engine integrated in a DRAM

DESCRIPTION

I describe a FSA extension architecture, a complex regular expressionswith interval architecture, signature recognition architecture and aregular expression compiler for a high performance ProgrammableIntelligent Search Memory for searching content with regular expressionsas well as other pattern searches like signatures. The regularexpressions may optionally be tagged to detect sub expression matchesbeside the full regular expression match. The regular expressions areconverted into equivalent FSAs that may optionally be NFAs and mayoptionally be converted into tagged NFAs. The PRISM memory alsooptionally supports ternary content addressable memory functionality. Sofixed string searches may optionally be programmed into the PRISMmemory. PRISM memory enables a very efficient and compact realization ofintelligent content search using FSA to meet the needs of current andemerging content search applications. Unlike a regular expressionprocessor based approach, the PRISM memory can support tens of thousandsto hundreds of thousands of content search rules defined as regularexpressions as well as patterns of strings of characters. A compiler forcompiling these regular expression rules into PRISM compatible datastructure is described in this invention to enable PRISM to perform thecontent inspection using the compiled rules. The PRISM memory performssimultaneous search of regular expressions and other patterns. Thecontent search memory can perform high speed content search at linerates from 1 Gbps to 10 Gbps and higher, when the best of class servermicroprocessor can only perform the same tasks at well below 100 Mbps.The content search memory can be used not only to perform layer 2through layer 4 searches that may be used for classification andsecurity applications, it can also be used to perform deep packetinspection and layer 4 through layer 7 content analysis.

Following are some of the embodiments, without limitations, that canimplement PRISM memory:

The PRISM memory may be embodied inside network interface cards ofservers, workstations, client PCs, notebook computers, handheld devices,switches, routers and other networked devices. The servers may be webservers, remote access servers, file servers, departmental servers,storage servers, network attached storage servers, database servers,blade servers, clustering servers, application servers, content/mediaservers, VOIP servers and systems, grid computers/servers, and the like.The PRISM memory may also be used inside an I/O chipset of one of theend systems or network core systems like a switch or router or applianceor the like.

The PRISM memory may also be embodied on dedicated content searchacceleration cards that may be used inside various systems described inthis patent. Alternatively, PRISM memory may also be embodied as acontent search memory inside a variety of hardware and/or integratedcircuits like ASSPs, ASICs, FPGA, microprocessors, multi-coreprocessors, network processors, TCP Offload Engines, network packetclassification engines, protocol processors, regular expressionprocessors, content search processors, mainframe computers, gridcomputers, servers, workstations, personal computers, laptops, handhelddevices, cellular phones, wired or wireless networked devices, switches,routers, gateways, XML accelerators, VOIP servers, Speech recognitionsystems, bio informatics systems, genetic and proteomics search systems,web search servers, electronic vault application networks and systems,Data Warehousing systems, Storage area network systems, content indexingappliances like web indexing, email indexing and the like, chipsets andthe like or any combination thereof. Alternatively, PRISM memory blocksmay be embedded inside other memory technologies like DRAM, SDRAM, DDRDRAM, DDR II DRAM, RLDRAM, SRAM, RDRAM, FCRAM, QDR SRAM, DDR SRAM, CAMs,Boundary Addressable Memories, Magnetic memories, Flash or other specialpurpose memories or a combination thereof or future derivates of suchmemory technologies to enable memory based content search.

One preferred embodiment of the invention is in an integrated circuitmemory chip that may support around 128,000 8-symbol regular expressionrules in current process technologies. A second preferred embodiment ofthe PRISM technology is an integrated circuit memory chip that maysupport around 8,000 regular expression rules in current processtechnologies to support applications where a lower content search memorycost is required. Each process generation may provide ability to storearound twice as many PRISM memory bits as the previous generation. Thusin one preferred embodiment the PRISM memory would be able to supporttens of thousands of eight state FSA and can potentially support over100,000 FSAs. There are many variations of the PRISM memory architecturecan be created that can support more or less FSAs depending upon variousfactors like the number of states per FSA, the chip die area, cost,manufacturability expectations and the like which will be appreciated bya person with ordinary skill in the art.

DETAILED DESCRIPTION

I describe a FSA extension architecture, a complex regular expressionswith interval architecture, signature recognition architecture and aregular expression compiler for a high performance ProgrammableIntelligent Search Memory for searching content with regular expressionsas well as other pattern searches like signatures. The regularexpressions may optionally be tagged to detect sub expression matchesbeside the full regular expression match. The regular expressions areconverted into equivalent NFAs or FSAs and optionally into tagged NFAs.The PRISM memory also optionally supports ternary content addressablememory functionality. So fixed string searches may optionally beprogrammed into the PRISM memory of my invention. PRISM memory of thisinvention enables a very efficient and compact realization ofintelligent content search using FSA to meet the needs of current andemerging content search applications. Unlike a regular expressionprocessor based approach, the PRISM memory can support tens of thousandsto hundreds of thousands of content search rules defined as regularexpressions as well as patterns of strings of characters. The PRISMmemory performs simultaneous search of regular expressions and otherpatterns. The content search memory can perform high speed contentsearch at line rates from 1 Gbps to 10 Gbps and higher using currentprocess technologies. The description here is with respect to onepreferred embodiment of this invention in an integrated circuit (IC)chip, it will be appreciated by those with ordinary skill in the artthat changes in these embodiments may be made without departing from theprinciples and spirit of the invention. The illustrations are made topoint out salient aspects of the invention and do not illustrate wellunderstood IC design elements, components and the like implementation ofthe invention in integrated circuits so as not to obscure the invention.

Ability to perform content search has become a critical capability inthe networked world. As the network line rates go up to 1 Gbps, 10 Gbpsand higher, it is important to be able to perform deep packet inspectionfor many applications at line rate. Several security issues, likeviruses, worms, confidential information leaks and the like, can bedetected and prevented from causing damage if the network traffic can beinspected at high line rates. In general, content search rules can berepresented using regular expressions. Regular expression rules can berepresented and computed using FSAs. NFAs and DFAs are the two types ofFSAs that are used for evaluation of regular expressions. For high linerate applications a composite DFA can be used, where each character ofthe input stream can be processed per cycle of memory access. However,this does have a limit on how fast the search can be performed dictatedby the memory access speed. Another limiter of such approach is theamount of memory required to search even a modest number of regularexpression rules. As discussed above, NFAs also have their limitationsto achieve high performance on general purpose processors. In general,today's best of class microprocessors can only achieve less than 100Mbps performance using NFAs or DFAs for a small number of regularexpressions. Hence, there is a clear need to create targeted contentsearch acceleration hardware to raise the performance of the search tothe line rates of 1 Gbps and 10 Gbps. PRISM memory is such a highperformance content search hardware that can be targeted for high linerates. The invention of this patent describes a compiler to make PRISMmemory structures useful for processing content against a large numberof regular expressions compiled to leverage PRISM capabilities.

As described earlier, regular expression can be represented using FSAlike NFA or DFA. FIG. 1 a illustrates Thompson's construction for theregular expression (xy+y)*yx. Thompson's construction proceeds in a stepby step manner where each step introduces two new states, so theresulting NFA has at most twice as many states as the symbols orcharacters and operators in the regular expression. An FSA is comprisedof states, state transitions, and symbols that cause the FSA totransition from one state to another. An FSA comprises at least onestart state, and at least one accept state where the start state iswhere the FSA evaluation begins and the accept state is a state which isreached when the FSA recognizes a string. Block 101 represent the startstate of the FSA, while block 105 is an accept state. Block 102represents state 2 and 104 represents state 3. The transition from state2 to state 3 is triggered on the symbol x, 103 and is represented as adirected edge between the two states. Thompson's NFA comprises of ‘ε’transitions, 116, which are transitions among states which may be takenwithout any input symbol.

FIG. 1 b illustrates Berry-Sethi NFA for the regular expression(xy+y)*yx. Berry and Sethi described an algorithm of converting regularexpressions into FSA using a technique called ‘marking’ of a regularexpression. It results in an NFA which has a characteristic that alltransitions into any state are from the same symbol. For example, alltransitions into state 1, 107, are from symbol ‘x’. The othercharacteristic of the Berry-Sethi construct is that number of NFA statesare the same as the number of symbols in the regular expression and onestart state. In this type of construction, each occurrence of a symbolis treated as a new symbol. The construction converts the regularexpression (xy+y)*yx to a marked expression (x₁y₂+y₃)*y₄x₅ where each x₁leads to the same state, 107. The figure does not illustrate themarkings. Once the FSA is constructed the markings are removed. The FIG.1 b illustrates the NFA with the markings removed. As can be seen fromthe figure, in Berry-Sethi construction all incoming transitions into astate are all dependent on the same symbol. Similarly, a duality ofBerry-Sethi construct also has been studied and documented in theliterature as discussed earlier, where instead of all incomingtransitions being dependent on the same symbol, all outgoing transitionsfrom a state are dependent on the same symbol. The Berry-Sethi constructis also called a left-biased type of construct, where as its dual iscalled a right-biased construct.

Finite State Automaton can evaluate incoming symbols or charactersagainst the regular expression language of the automaton and detect whenan input string is one of the strings recognized by it. However, it isadvantageous in certain conditions to know if a certain sub-expressionof the regular expression is also matched. That may be enabled bytagging the NFA as described in the paper by Ville Laurikari referredearlier. Following description illustrates how the inventions of thispatent enable tagged NFA realization in PRISM memory. The tagging forsub-expression checking may involve further processing of the FSA touniquely identify sub-expression matching. However for illustrationpurpose, if in the regular expression “(xy+y)*yx” if one desires todetect if the sub-expression “xy” is in the recognized string, one cantag the state 4, 110, as a tagged state. Thus, whenever the regularexpression transitions through state 4, 110, the sub-expression match ortag match may be indicated. There may also be need to detect if aspecific transition leads the regular expression through a desiredsub-expression. In such a case a tag start state and a tag end state maybe marked. For instance, if it is desired to detect if the transitionfrom state 0 to state 2, 117, is taken then the state 0 may be marked asa tag start state and state 2 may be marked as a tag end state. Thetagged FSA implementation may then indicate the beginning of the tagtransition when the FSA reaches the tag start state and then indicatethe end of the tag transition when the FSA reaches the tag end state. Ifthe FSA moves from the tag start state immediately followed bytransitioning into tag end state, then the tagged FSA can indicate thematch of a tagged transition. The illustrations in the description belowdo not illustrate this aspect of tagged NFA, though it may optionally besupported in PRISM and may be easily implemented as follows or othermeans for example by adding a tag start and tag end state flags (asmemory bits or flip-flops) and the logic for the tag transitiondetection to follow the steps described above as can be appreciated bythose with ordinary skill in the art. The patent of this disclosureenables detection of sub-expressions using tagging.

FIG. 1 c illustrates a DFA for the same regular expression (xy+y)*yx.DFA is deterministic in that only one of its states is active at a giventime, and only one transition is taken dependent on the input symbol.Whereas in an NFA, multiple states can be active at the same time andtransitions can be taken from one state to multiple states based on oneinput symbol. There are well known algorithms in the literature, likesubset construction, to convert a RE or NFA to a DFA. This DFA may berealized in the PRISM Memory using the constructs described below torepresent an FSA, using a left-biased realization. Thus PRISM memory ofthis invention may also be used to program certain DFAs where allincoming transitions to each state are with the same symbol like the DFAof this illustration.

FIG. 2 a illustrates a left-biased NFA and its state transition table(prior art). The illustration is a generic four state Berry-Sethi likeNFA with all transitions from each node to the other shown with theappropriate symbol that the transition depends on. For example, state A,201 has all incoming transitions dependent on symbol ‘a’ as illustratedby example transitions labeled 202 and 203. When the FSA is in State A,201, an input symbol ‘d’, transitions the FSA to state D with thetransition, 204, from state A to state D. The table in the figureillustrates the same FSA using a state transition table. The column‘PS’, 211, is the present state of the FSA, while the row ‘sym’, 212, isa list of all the symbols that the state transitions depend on. Thetable 213, illustrates the next state (NS) that the FSA will transitionto from the present state (PS) when an input symbol from those in thesym header row is received. In this FSA, state ‘A’ is the start stateand state C is an accept state. Hence, if the FSA is in the presentstate ‘A’ and an input symbol ‘b’ is received, the FSA transitions tothe next state ‘B’. So when the next input symbol is received, the FSAis in present state ‘B’ and is evaluated for state transition with therow corresponding to present state ‘B’.

FIG. 2 b illustrates a right-biased NFA and its state transition table(prior art). The illustration is a generic four state dual ofBerry-Sethi NFA with all transitions from each node to the other shownwith the appropriate symbol that the transition depends on. For example,state ‘A’, 205 has all outgoing transitions dependent on symbol ‘a’ asillustrated by example transitions labeled 208 and 209 where as unlikethe left-biased NFA described above, each incoming transition is not onthe same symbol, for example transitions labeled 206 and 207 depend onsymbols ‘ID’ and ‘d’ respectively. The state transition table in thisfigure is similar to the left biased one, except that the FSAtransitions to multiple states based on the same input symbol. Forexample if the FSA is in the present state ‘B’ and a symbol ‘b’ isreceived, then the FSA transitions to all states ‘A’, ‘B’, ‘C’ and ‘D’.When an input symbol is received which points the FSA to an empty box,like 216, the FSA has received a string which it does not recognize. TheFSA can then be initialized to start from the start state again toevaluate the next string and may indicate that the string is notrecognized.

The FIG. 2 a and FIG. 2 b, illustrate generic four state NFAs where allthe transitions from each state to the other are shown based on theleft-biased or right-biased construct characteristics. However not allfour state NFAs would need all the transitions to be present. Thus if asymbol is received which would require the FSA to transition from thepresent state to the next state when such transition on the receivedinput symbol is not present, the NFA is said to not recognize the inputstring. At such time the NFA may be restarted in the start state torecognize the next string. In general, one can use these example fourstate NFAs to represent any four state RE in a left-biased (LB) orright-biased (RB) form provided there is a mechanism to enable ordisable a given transition based on the resulting four states NFA forthe RE.

FIG. 3 a illustrates state transition controls for a left-biased andright-biased NFA. The figure illustrates a left-biased NFA with a state‘A’, 300, which has incoming transitions dependent on receiving inputSymbol ‘S1’ from states ‘B’, 301, ‘C’, 302, and ‘D’, 303. However, thetransitions from each of the states ‘B’, ‘C’ and ‘D’ to state ‘A’, occuronly if the appropriate state dependent control is set besides receivingthe input symbol ‘S1’. The state dependent control for transition fromstate ‘B’ to state ‘A’ is V₂ while those from states ‘C’ and ‘D’ tostate ‘A’ is V₃ and V₄ respectively. Transition to the next state ‘A’ isdependent on present state ‘A’ through the state dependent control V₁.Thus transition into a state ‘A’ occurs depending on the received inputsymbol being ‘S1’ and if the state dependent control for the appropriatetransition is set. Thus, one can represent any arbitrary four states NFAby setting or clearing the state dependent control for a specifictransition. Thus, if a four states left biased NFA comprises oftransition into state ‘A’, from state ‘B’ and ‘C’ but not from thestates ‘A’ or ‘D’, the state dependent controls can be set as V₁=0,V₂=1, V₃=1 and V₄=0. Hence if the NFA is in state ‘D’ and a symbol ‘S1’is received, the NFA will not transition into state ‘A’, however if theNFA is in state ‘B’ and a symbol ‘S1’ is received the NFA willtransition into state ‘A’.

Similarly, FIG. 3 a also illustrates states and transitions for aright-biased NFA. The figure illustrates a right-biased NFA with a state‘A’, 306, which has incoming transitions from state ‘B’, 307, state ‘C’,308, and state ‘D’, 309, on receiving input symbols ‘S2’, ‘S3’ and ‘S4’respectively. However, the transitions from each of the states ‘B’, ‘C’and ‘D’ to state ‘A’, occur only if the appropriate state dependentcontrol is set besides receiving the appropriate input symbol. The statedependent control for transition from state ‘B’ to state ‘A’ is V₂ whilethose from states ‘C’ and ‘D’ to state ‘A’ is V₃ and V₄ respectively.Transition to the next state ‘A’ is dependent on present state ‘A’through the state dependent control V₁. Thus transition into a state ‘A’occurs based on the received input symbol and if the state dependentcontrol for the appropriate transition is set. Thus, one can representany arbitrary four states right-biased NFA by setting or clearing thestate dependent control for a specific transition. All state transitioncontrols for a given state form a state dependent vector (SDV), which iscomprised of V₁, V₂, V₃, and V₄ for the illustration in FIG. 3 a for theleft-biased and the right-biased NFAs.

FIG. 3 b illustrates configurable next state table per state. Theleft-biased state table for ‘NS=A’, is shown by the table 311, whereasthe right-biased state table for ‘NS=A’, is shown by the table 312. Thestate dependent vector for both left-biased and right-biased NFA stateis the same, while the received input symbol that drive the transitionare different for the left-biased vs. right-biased NFA states. Thus astate can be represented with properties like left-biased (LB),right-biased (RB), start state, accept state, SDV as well as action thatmay be taken if this state is reached during the evaluation of inputstrings to the NFA that comprises this state.

FIG. 4 a illustrates state transition logic (STL) for a state. The STLis used to evaluate the next state for a state. The next state computedusing the STL for a state depends on the current state of the NFA, theSDV, and the received symbol or symbols for a left-biased NFA andright-biased NFA respectively. The InChar input is evaluated againstsymbols ‘S1’ through ‘Sn’ using the symbol detection logic, block 400,where ‘n’ is an integer representing the number of symbols in the RE ofthe NFA. The choice of ‘n’ depends on how many states are typicallyexpected for the NFAs of the applications that may use the searchmemory. Thus, ‘n’ may be chosen to be 8, 16, 32 or any other integer.The simplest operation for symbol detection may be a compare of theinput symbol with ‘S1’ through ‘Sn’. The output of the symbol detectionlogic is called the received symbol vector (RSV) comprised of individualdetection signals ‘RS1’ through ‘RSn’. LB/RB# is a signal that indicatesif a left-biased NFA or a right-biased NFA is defined. LB/RB# is alsoused as an input in evaluating state transition. The STL for a statesupports creation of a left-biased as well as right-biased NFAconstructs. The LB/RB# signal controls whether the STL is realizing aleft-biased or a right-biased construct. The state dependent vector inthe form of ‘V1’ through ‘Vn’, is also applied as input to the STL. TheSDV enables creation of arbitrary ‘n’-state NFAs using STL as a basisfor a state logic block illustrated in FIG. 4 b. Present states are fedinto STL as a current state vector (CSV) comprised of ‘Q1’ through ‘Qn’.STL generates a signal ‘N1’ which gets updated in the state memory,block 402, on the next input clock signal. ‘N1’ is logically representedas N1=((V1 and Q1 and (LB/RB# OR RS1)) OR (V2 and Q2 and (LB/RB# ORRS2)) OR . . . (Vn and Qn and (LB/RB# OR RSn)) AND ((NOT LB/RB# OR RS1).Similar signal for another state ‘n’, would be generated with similarlogic, except that the signal 401, feeding into the OR gate, 415, wouldbe ‘RSn’, which is the output of the ‘n’-th symbol detection logic,changing the last term of the node ‘N1’ logic from ((NOT LB/RB# OR RS1)to ((NOT LB/RB# OR RSn). The state memory, 402, can be implemented as asingle bit flip-flop or a memory bit in the state logic block discussedbelow.

FIG. 4 b illustrates a state logic block (SLB). The SLB comprises theSTL, 406, Init logic, 408, state memory, 410, the accept state detectlogic, 411, the SDV for this state, 407, start flag, 409, accept flag,412, tag associated with this state, 419, or action associated with thisstate, 413 or a combination of the foregoing. The SLB receives currentstate vector and the received symbol vector which are fed to STL todetermine the next state. The realization of a state of an arbitrary NFAcan then be done by updating the SDV for the state and selecting thesymbols that the NFA detects and takes actions on. Further, each statemay get marked as a start state or an accept state or tagged NFA stateor a combination or neither start or accept or tagged state through thestart, tag and accept flags. The init logic block, 408, receives controlsignals that indicate if the state needs to be initialized from thestart state or cleared or disabled from updates, or loaded directly withanother state value, or may detect a counter value and decide to accepta transition or not and the like. The init block also detects if the FSAhas received a symbol not recognized by the language of the regularexpression and then may take the FSA into a predefined initial state tostart processing the stream at the next symbol and not get into a statewhere it stops recognizing the stream. The Init block can be used tooverride the STL evaluation and set the state memory to active orinactive state. The STL, 406, provides functionality as illustrated inFIG. 4 a, except that the state memory is included in the SLB asindependent functional block, 410. The state memory, 410, can beimplemented as a single bit flip-flop or a memory bit. When the statememory is set it indicates that the state is active otherwise the stateis inactive. The accept detect logic, 411, detects if this state hasbeen activated and if it is an accept state of the realized NFA. If thestate is an accept state, and if this state is reached during the NFAevaluation, then the associated action is provided as an output of theSLB on the A1 signal, 416, and an accept state activation indicated onM1, 417. If the FSA reaches a state which is flagged as a tagged stateusing the tag flag, then the match detect logic may indicate a tagmatch, not illustrated, which another circuit can use to determine theaction to be taken for the particular tag. The action could be set up tobe output from the SLB on the state activation as an accept state aswell as when the state is not an accept state, like a tagged state, asrequired by the implementation of the NFA. This can enable the SLB to beused for tagged NFA implementation where an action or tag action can beassociated with a given transition into a state.

If there are ‘n’ states supported per FSA rule, then each SLB needs‘n’-bit SDV which can be stored as a n-bit memory location, 3-bitsallocated to start, tag and accept flags, 1-bit for LB/RB#, m-bit actionstorage. Thus if n=16 and m=6, then the total storage used per SLB wouldbe a 26-bit register equivalent which is a little less than 4 bytes perstate. If tag start flag and tag end flags are supported, notillustrated, then the number of memory bits would be 28-bits. Ifmultiple tagged expressions need to be enabled then the number of bitsfor tagging may be appropriately increased. When the number of states ina resulting FSA of a RE is more than ‘n’ supported by the FSA of PRISM,a mechanism is required that would allow the PRISM memory to supportsuch rules. The patent of this application describes such a mechanismand an architecture for that as described below.

FIG. 5 a illustrates State transition logic (STL) for a state in aleft-biased FSA. This figure illustrates state transition logic for astate of an FSA when the logic illustrated above for FIG. 4 a issimplified with the LB/RB# set to active and symbol detection logic forone of the states illustrated. The symbol bits are illustrated as‘m-bit’ wide as S_(1m) . . . S₁₁ illustrated in block 502. The inputcharacter symbol bits are labeled as cln_(m) . . . cln₁, 501. The symboldetection logic illustrated in FIG. 4 a, 400, is illustrated asindividual bits labeled E_(m) . . . E₁, 503, and is also referred to assymbol evaluation logic in this patent. The symbol dependent vector islabeled V_(n1) . . . V₁₁, 504 which indicates the symbol dependentvector bit enabling transition into state 1 from each of the ‘n’ statesthat represent the CSV, Q_(n) . . . Q₁, 509, of the FSA. RS1, 505, isthe result of the evaluation of the input character symbol with onesymbol of the FSA, S_(1m) . . . S₁₁ illustrated in block 502. The logicgates, 506 and 507, are NAND gates that form the logic function togenerate the next state, Q1, based on the RS1, SDV, V_(n1) . . . V₁₁,and CSV, Q_(n) . . . Q₁. States Q_(n) . . . Q₂ would be generated usingsimilar circuit structure as the one illustrated in FIG. 5 a, except theRSV bit, SDV and the symbol specific to the particular state will beused. For example, for the generation of state Q_(n) the Symbol would beS_(nm) . . . S_(n1), the SDV vector would be V_(nn) . . . V_(1n), andthe RSV bit would be RSn instead of RS1.

FIG. 5 b illustrates State transition logic (STL) for a state in aright-biased FSA. This figure illustrates state transition logic for astate when the logic illustrated above for FIG. 4 a is simplified withthe LB/RB# set to inactive state and symbol detection logic for one ofthe states illustrated. Key differences between the right biased FSAcircuit illustrated in this figure and the left-biased FSA illustratedin FIG. 5 a, is that the next state generation logic depends on allreceived symbol vector bits, RS1, 505, through RSn, 505 n, which are theresult of the evaluation of the input character symbol with each of the‘n’ symbols of the FSA instead of only one RSV bit, RS1, 505,illustrated in FIG. 5 a. The logic gates, 506 a and 507 b, represent theright-biased FSA logic function to generate the next state based on theRSV, RS1, 505, through RSn, 505 n, SDV, V_(n1) . . . V₁₁, and CSV, Q_(n). . . Q₁. States Q_(n) . . . Q₂ would be generated using similar circuitstructure as the one illustrated in FIG. 5 b, except the SDV and thesymbol specific to the particular state will be used. For example, forthe generation of state Q_(n) the Symbol would be S_(nm) . . . S_(n1),the SDV vector would be V_(nn) . . . V_(1n), and the RSV vector would bethe same, RS1, 505, through RSn, 505 n.

PRISM memory allows various elements of the FSA blocks to beprogrammable such that the compiler of this invention can accept aregular expression and compile it with information for various PRISMstate elements to make the general purpose programmable state machine ofPRISM FSA to implement the specific regular expression rule. Thecompiler can compile other rules and later replace the current rule withanother rule in the same PRISM FSA or may use another PRISM FSA or acombination of the like.

FIG. 6A illustrates Right-biased Tagged NFA Rule block in PRISM. Asdiscussed earlier the FSA of PRISM are optionally Tagged. For clarity,FSA rule block, PRISM FSA rule block, PRISM FSA rule memory block, ruleblock, rule memory block, are used interchangeable in this application.Further, NFA rule block or PRISM NFA rule block or NFA rule memoryblock, are also used interchangeably and mean a PRISM FSA rule blockwhere the FSA type is an NFA in this patent. The discussion below iswith respect to tagged NFA, though it is also applicable for non-taggedNFAs where the tagging elements, described below, are not used or notpresent. This figure illustrates state block 1, 601, which comprises ofsome elements of the state transition logic illustrated in FIG. 5 b. Thefigure illustrates other state blocks, 602 and 603, that represent stateblocks 2 through n, where ‘n’ is the number of states of the NFA. Theseblocks are illustrated without details unlike state block 1. The primarydifference between the blocks is that each state block generates its ownRSV bit and uses only its own state bit from the CSV.

For instance state block 2, generates RS2 by evaluating the receivedcharacter with the symbol programmed in its symbol logic block which issimilar to block 502. The state blocks are organized slightlydifferently than the illustration in FIG. 5 b. The logic for one stateillustrated in FIG. 5 b, is illustrated to be organized in a verticalslice like, 614, where each state block holds portion of the logicnecessary to form the final state. In this illustration the state Qn,508 n, is generated by processing the outputs from each state blocks'‘n’-th slice. The SDV vector bits held in each state block are fortransition control from the specific state to all other states. Forinstance the blocks, like 504 a, hold different members of the SDVvectors compared to the blocks, like 504. Thus the SDV for each state isdistributed amongst multiple state blocks unlike that illustrated inFIG. 5 b. For example state block 1, holds SDV vector bits V_(1n),V_(1(n-1)) through V₁₁ indicating state transition vector bits fortransitioning out of state 1 to the ‘n’ states, unlike FIG. 5 b whichare transposed where the state transition logic for a state holds bitsV_(n1), V_((n-1)) through V₁₁ for transition into state 1. The indicesV_(XY) indicate the state dependent vector bit that enables or disablestransition from state X to state Y where each X and Y may have a rangefrom 1 through n, where n is the number of states of the FSA. Thus theSDV of a state indicates the controls for enabling transitions from anystate to itself as illustrated in 504, which indicates SDV transitioncontrols from states n through 1 to state 1. As can be noticed theindices of the vector bits are reversed between the FIG. 5 b and FIG. 6a. Thus a specific state's SDV is distributed in multiple state blocksand is illustrated aligned vertically like slice 614. This figure alsoillustrates the initialization logic, 408, illustrated in FIG. 4 b asblock 605 that affects what value gets loaded in the state memory bit,508 n, under different conditions like initialization, startup, errorstate, store and load or context switch and the like. Thus SDV vectorsfor an FSA are written to the NFA block in a state transposed manner asdescribed above. The initialization block comprises ofinitialization/start state vector memory bits. Thus the input into theinit block, 605, is logically equivalent to the node N1 b in FIG. 5 b,adjusted for the appropriate state bit. The state control block, 604,comprises of the logic gates, 507 a, which logically NANDs the partialstate output, like 615, from the state blocks 1 through state block n.The state control block, 604, further comprises of the init logicblocks, like 605, and the state memory blocks, like 508. The NFA Ruleblock also comprises of tagged match detect block, 613, which mayoptionally comprise of tagging elements for supporting tagged NFAs. Thetagged match detect block comprises of Accept vector blocks, like 610,which comprise of accept vector memory bits and may optionally compriseof tag memory bits. The tagged match detect block further comprises ofaccept detect blocks, like 611, which comprise of accept state detectionand may optionally comprise of tagged state or state transitiondetection logic. The state memory blocks, like 508, may be controlled beclock or enable or a combination signals to step the FSA amongst itsstates as new input characters are evaluated. The clocked enable signalsmay provide more control over simple clock by enabling when the FSAshould be evaluated. For instance upon finding a match, the FSAcontroller, 802, described below may be programmed to hold furtherevaluation of any symbols for this FSA until the match information isprocessed. The NFA rule block generates multiple output signals that canbe used to indicate the progress of the FSA. The NFA rule block outputscomprise of a Rule Match, 609, which indicates when the regularexpression rule programmed in the NFA rule block is matched withcharacters of the input stream. The Rule Match signal may be used by thelocal or global priority encoder and evaluation processor, blocks 815and 713 respectively described below, to decide on next steps to betaken based on user programmed actions and/or policies. The priorityencoder and evaluation processors may optionally comprise of countersthat may be triggered upon specific rule matches. The counters may beused for several purposes like statistical events monitoring, matchlocation detection in the input stream and the like. The priorityencoders may also decide the highest priority winner if multiple matchesare triggered and then the output may be used to find the appropriateaction associated with the matched regular expression rule. The NFA ruleblock output may optionally comprise of Tag Match signal(s) that may beused by the priority encoders and evaluation processors to detectpartial regular expression matches. The number of tag match signals perNFA rule block may depend on the number of sub-expressions that areallowed to be detected in a given NFA. The NFA rule block is organizedas a series of memory locations that each hold a portion of the NFA ruleevaluation information using memory circuits like the SDV memory,Symbols memory, Mask vectors memory (discussed below), initialization orstart state vector memory, accept state vector memory, optionally tagstate flag or vector memory, the NFA states memory or current statevector memory and the like. The NFA rule block comprises of NFAevaluation circuits interspersed amongst the memory blocks storing theNFA programmable information like the SDV, start state, accept state,symbols and the like. The NFA rule blocks evaluate multiple symbolsagainst input stream for matches to step the FSA. Each symbol evaluationblock, like 504, may optionally output an indication of a patterncomparison between the input character and the programmed symbol. Theseoutput signals, like 617, 615, 616, can be treated as local contentaddressable memory match signals. The PRISM memory may optionallysupport logic that enables generating merged CAM match signals frommultiple NFA blocks to support larger width pattern matches. Thus thePRISM memory can be used as content addressable memory when enabled toprocess the CAM match signals. The PRISM memory can be optionallyconfigured such that portions of the memory support CAM functionalitywhile other portions may support FSA functionality or the entire PRISMmemory may optionally be configured to behave like FSA memory or CAMmemory. The CAM memories typically support functionality to detect 4byte patterns, 18 byte patterns or even 144 byte patterns. PRISM memorymay optionally provide configuration mechanisms to support similar largepattern evaluation by chaining multiple NFA rule blocks' CAM matchsignals using appropriate logic to generate composite CAM match signalsfor desired pattern width.

FIG. 6B illustrates Left-biased Tagged NFA Rule block in PRISM. Asdiscussed earlier the FSA of PRISM are optionally Tagged. The discussionbelow is with respect to tagged NFA, though it is also applicable fornon-tagged NFAs where the tagging elements, described below, are notused or not present. Left-biased NFA Rule blocks are similar infunctionality as those discussed above for the Right-biased NFAs exceptfor a few minor differences that enable the NFA rule block to behave asa Left-biased NFA. The state blocks, 601 a, 602 a, 603 a, in theleft-biased NFAs receive all RSV vector bits, like 505 n, unlike aspecific RSV bit per state block in the right-biased NFA. The input toNAND gates like 506 b, is the specific RSV bit depending on the bitslice at the bit location in the state block of the NAND gate. Thus bitlocation ‘p’ where ‘p’ can range from 1 through ‘n’, uses RSp (ReceivedSymbol Vector bit ‘p’) to generate the partial state block output, 615a. By making such a change in the blocks the NFA may now function as aleft-biased NFA. The rest of the blocks perform similar functions asdescribed above for a right-biased NFA.

PRISM memory may comprise of left-biased NFAs, right-biased NFAs or acombination of them or may be comprised as selectable left-biased orright-biased NFAs with logic similar to FIG. 4 a. All such variationsare within the scope of this invention, as may be appreciated by onewith ordinary skill in the art.

FIG. 9 illustrates PRISM search compiler flow which is used for full andincremental rules distribution. For clarity, the PRISM search compileris also referred to as search compiler or compiler in this patentapplication and the terms are used interchangeably. The search compilerof FIG. 9 allows an IT manager or user to create and compile search andsecurity rules of different types as illustrated by 901, 902 and 903,without limitations. Even though, the illustrated rules list primarilysecurity type rules though there may be regular expression rules for anyother application that needs content search like many applicationslisted in this patent application. The compiler flow would optionally beprovided with information about the specific nodes or networked systemsor otherwise that may use PRISM and the characteristics of these nodes,like the security capability, the rules communication method, the sizeof the rule base supported, the performance metrics of the node,deployment location e.g. LAN or SAN or WAN or other, or the like forspecific security or network related search applications. The compilerflow may optionally use this knowledge to compile node specific rulesfrom the rule set(s) created by the IT manager or the user. The compilercomprises a rules parser, block 904, for parsing the rules to bepresented to the PRISM FSA Compiler Flow, block 906, illustrated furtherin FIG. 10, which analyzes the rules and creates rules database thatneeds to be programmed into PRISM memory of the specific nodes orsystems for analyzing the content. The rules parser, block 904, alsoparses signature pattern rules like those for anti-virus solutions andpresents them to the PRISM Signature Compiler Flow, block 911,illustrated further in FIG. 20, which analyzes the signature patterns orrules and creates a signature rules database that needs to be programmedinto PRISM signature search engines for analyzing content. The ruleparser may read the rules from files of rules or directly from thecommand line or a combination depending on the output of the ruleengines like blocks 901, 902 and 903. The rules for a specific node areparsed to recognize the language specific tokens used to describe thesignature pattern rules or regular expression tokens and outputssignature pattern rules, 910, or regular expression (RE) rules, 905. Theparser then presents the REs to the PRISM FSA compiler flow whichprocesses the REs and generates NFA for RE. Optionally if tagging issupported by the specific PRISM instance, and if REs use tagging, thePRISM FSA compiler then decides whether the RE will be processed as aNFA or tagged NFA based on the PRISM memory capability. It thengenerates the NFA or tNFA rule in a format loadable or programmable intoPRISM memory and stores the database in the compiled rules databasestorage, 908.

Rules distribution engine, block 909, then communicates the rules tospecific system or systems that comprise of PRISM memory. The searchrules targeted to specific systems may be distributed to a hostprocessor or a control processor or other processor of the system thatcomprises PRISM memory. A software or hardware on the receivingprocessor may then optionally communicate the rules to the PRISM memoryby communicating with the bus interface, block 702, and the PRISMcontroller, block 703, described below to configure and/or program thePRISM memory with the FSA rules and signature search engines withsignature rules. The Rules distribution engine, 909, may optionallycommunicate directly with the PRISM controller through the bus interfaceblock, block 702, if the bus interface and PRISM controller optionallysupport such functionality. The rules may be distributed using a securelink or insecure link using proprietary or standard protocols asappropriate per the specific node's capability over a network.

FIG. 7 illustrates PRISM block diagram. As may be appreciated by onewith ordinary skill in the art, that many different variations of theseblocks and their configuration, organization and the like can be createdfrom the teachings of this patent and are all covered withoutlimitations. PRISM controller, block 703, communicates with the rulesdistribution engine, block 909, or with a master processor or acompanion processor like a host system microprocessor or a controlprocessor or a network processor or a switch processor or an ASIC basedcontroller or processor or the like to receive appropriate compiled ruletables prior to starting the content inspection. It programs thereceived rules into the appropriate PRISM NFA rule blocks, describedearlier, by working with the address decode and control logic block 704,coupled to the PRISM controller, block 703, and the PRISM memory clusterarrays, block 710. The PRISM controller, 703, also programs signaturerules that need to be searched by signature search engines, 722, tosignature search engines, 722 and signature rules that need to besearched as FSA rules to the NFA rule memory blocks in PRISM PSE arrays.There may be multiple rules being stored in each PRISM memory clusterarray NFA search blocks. There may optionally be multiple applicationspecific contexts, not illustrated, supported by the PRISM memorycluster arrays. Once the rules distribution engine provides the compiledrules to the control processor and scheduler and they are setup in theirrespective NFA rule blocks, PRISM memory is ready to start processingthe data stream to perform content inspection. The PRISM memory stateconfiguration information is received via the bus interface block, 702,which may communicate on a system bus or a network or the like with amaster processor or companion processor, not illustrated. The PRISMmemory of this patent may be deployed in various configurations like alook-aside configuration or flow-through configuration or an acceleratoradapter configuration or may be embedded inside variety of processors orlogic or ASICs or FPGA or the like as discussed earlier as well othersnot illustrated. In a look-aside or an accelerator adapterconfiguration, the PRISM memory is under control of a master processorwhich may be a network processor or a switch processor or a TCP/IPprocessor or classification processor or forwarding processor or a hostprocessor or a microprocessor or the like depending on the system inwhich such a card would reside. The PRISM controller, 703, receives theconfiguration information under the control of such master processorthat communicates with the rule engine to receive the configurationinformation and communicates it on to the PRISM memory. Once theconfiguration is done, the master processor provides packets or datafiles or content to the PRSIM memory for which content inspection needsto be done. The bus interface, 702, used to communicate with a masterprocessor may be standard buses like PCI, PCI-X, PCI express, ProcessorDirect Connect bus, RapidIO, HyperTransport or LA-1 or DDR or RDRAM orSRAM memory interface or SPI4 or Interlaken Protocol or theirderivatives or internal processor bus or the like or a proprietary bus.The bandwidth on the bus should be sufficient to keep the content searchmemory operating at its peak line rate to fully utilize the capabilityof PRISM, however a lower bandwidth bus or higher bandwidth bus may beused as well. If a lower bandwidth bus is used the total throughput maynot be higher than the bus throughput. When a higher throughput bus isutilized, the bus interface may need to stall the bus or drop somepackets, or the like and process the content at the maximum bandwidthsupported by that implementation of PRISM. The PRISM memory maypreferably be a memory mapped or may optionally be an IO mapped devicein the master processor space for it to receive the content and otherconfiguration information in a look-aside or accelerator configuration.PRISM memory optionally may be polled by the master processor or mayprovide a doorbell or interrupt mechanism to the master to indicate whenit is done with a given packet or content or when it finds a contentmatch to the programmed rules.

The PRISM controller receives incoming data for examination usingregular expression rules or for examination using patterns to bematched, and may optionally store them into data buffer/memory, block707, before presenting it to the PRISM memory cluster arrays, 710 andsignature search engines, 722. The PRISM memory may optionally directlystream the content to be examined to the content stream logic, block708, which may stage the content for examination by the PRISM memorycluster arrays, block 710 and signature search engines, 722. The PRISMcontroller maintains the record of the content being processed and oncethe content is processed it informs the master processor. The PRISMmemory cluster arrays inform the global priority encoder and evaluationprocessor, block 713, of the results of the search. When a match to arule is found the priority encoder and evaluation processor may retrievean action associated with the rule from the global action memory, block717, depending on programmable policies and may optionally provide thisto the PRISM controller. The PRISM controller may optionally inform themaster processor about the search results. The PRISM controller mayexecute the specific action or policy defined for the rule match. Theactions may optionally comprise to stop further content evaluation,enable a certain set of rules to be examined by enabling appropriatecluster array and pass the content through that PRISM memory clusterarray for further examination, or inform the master processor of theresult and continue further examination or hold the match result inon-chip or off-chip memory or buffers for the master processor torequest this information later or any combination thereof or the like.If the PRISM memory is configured to examine network traffic in aflow-through configuration, not illustrated, it may also be programmedto drop the offending packet or stop the specific TCP connection or thesession or the like. Optionally the master processor may receive thematch information and may take specific actions on the content stream.

The address decode and control logic, block 704, is coupled to the PRISMcontroller, 703, the bus interface, 702, the PRISM memory clusterarrays, 710, the global priority encoder and evaluation processor, 713,the database expansion port, 718 as well as other blocks through acoupling interface, 715. The PRISM memory may support a large number ofregular expressions in some preferred embodiments as discussed above,however if there are applications that need more rules, then there mayoptionally be a database expansion port, 718, which would enable theexpansion of the rules by adding additional PRISM memory(ies) to thedatabase expansion port. The database expansion port may provide aseamless extension of the number of rules and may use additional memoryspace in the host or master processor. There are multiple ways ofenabling the database expansion as may be appreciated by those withordinary skill in the art. The address decode and control logic is alsocoupled to optional, cluster address decode and FSA controller, block802, and decodes addresses for the PRISM memory locations which are usedto hold FSA rule block programming information as well as the FSA stateinformation. It may perform the address decode, memory read, memorywrite and other PRISM memory management control functions by itself orworking in conjunction with cluster address decode and FSA controller.The blocks 704 and optionally 802, may be programmed to provideconfiguration information for the clusters. The configurationinformation may optionally comprise of size of the NFAs e.g. 8-state or16-state or the like, CAM functionality enabling, tagged NFA relatedconfiguration, context addresses if appropriate for local clustercontext addressing and/or global context addresses, clusters specificconfigurations that may support a mixed CAM and Regular Expressionfunctionality at the PRISM memory level, action memory association forspecific FSA rules or clusters or a combination thereof and the like.The PRISM memory cluster arrays and other blocks like global and localpriority encoder and evaluation processor, blocks 713 and 815, local(not illustrated) and global action memories, block 717, and the likemay get configured and programmed with information before the contentinspection begins. Further, since PRISM memory supports dynamicreconfiguration of rules, its programming and configuration may beupdated during the content inspection as well for example when a newsecurity threat has been discovered and a new rule to catch thatsecurity violation needs to be programmed. The PRISM memory may providemultiple content streams to be processed through the PRISM memorycluster arrays, using context mechanism which associates each contentstream with a specific context, which may optionally be assigned aspecific context ID.

FIG. 7 b illustrates PRISM Memory Cluster (PMC) Array. The PRISM MemoryCluster Array comprises of an array of PRISM Memory clusters,illustrated and described below, which further comprise of PRISM SearchEngines (PSEs) which are also referred to as NFA rule blocks or NFAmemory rule blocks or NFA rule memory blocks or the like in this patent.In one preferred embodiment the PMC Array may comprise of 128 PRISMMemory clusters, arranged in 8 rows and 16 columns where each PMC maycomprise of 1024 PSEs, each providing 10 Gbps content searchperformance, and providing a capacity of over 128,000 rules beingsearched at 10 Gbps. Today's applications like intrusion detection orapplication layer security rules processing comprise of an equivalent ofaround 4000 to 5000 8-char RE rules. Thus the total number of RE rulesavailable in this preferred embodiment can support a large number ofsuch applications for security processing or search processing or thelike. The packet stream controller, block 726, presents the content tobe searched to the PMCs after the address decode and control logic,block 704, programs configuration information and compiled PRISM RErules in the PRISM memory clusters, block 705 (11) through 705(nm). Apacket header or content or other information data or the like to besearched is held in the content staging buffer, block 709, from where itmay be retrieved by the packet stream controller, 726. The packet streamcontroller presents the packet or data or content or the like to beexamined to each of the PRISM memory clusters, 705(11) through 705(nm),on buses like 724(1) through 724(m). The results of the examination orsearch by the PMC are presented to the Global priority encoder andevaluation processor on the buses, 711(1) through 711(n), whichdetermines if there is any rule match and if so which rule has matched.It may then communicate the results of the match to the PRISMcontroller, 703, or a master controller of PRISM or the like asdescribed in this patent. The buses 725(1) through 725(n) may be used tosave and restore specific PMC context during context switch. Althoughthe buses, 724(1) through 724(m) are illustrated to couple the packetstream controller to the first row of PMCs, 705(11) through 705(1 m),they may optionally run through all the PMCs and couple the packetstream controller to all PMCs. The packet stream controller may presenteach PMC with the same content or packet or data or the like to examine.However, the packet stream controller may also present different packetsor content or the like on each of the busses, 724(1) through 724(m). Ifall the PMCs in a horizontal row, like 705(11) through 705(1 m) wherem=16 in one preferred embodiment, are programmed with the same rules andif an application like intrusion detection and prevention system(IDS/IPS) application with around 4000 rules which can fit in PMCs inone vertical column like 728(1) comprising PMCs, like 705(11) through705 (n1) where n=8 in this embodiment, which provide 8096 RE rulesbetween 8 PMCs with 1024 PSEs each, then for this embodiment 16 times 10Gbps (or 160 Gbps) content search performance can be achieved. In thisembodiment, each vertical column of PMCs are programmed with the sameapplication rules which are then applied to packets or data or flows orcontent or the like presented to the PMCs in that column. Thus for theembodiment above, there can be 16 columns of PMCs providing IDS/IPSrules which may be repeated in each column of PMCs as described above.Under such a configuration it is feasible to achieve content searchperformance of well over 100 Gbps as discussed above when each of thePMC column examines content at 10 Gbps against the rules programmed,which is very feasible with integrated circuits designed with today'sprocess technologies like 90 nm, 65 nm and beyond. Each PSE can bedesigned to easily process content at 2.5 Gbps or 5 Gbps usingintegrated circuit chips made in today's silicon process technology.PRISM chip processing one byte per clock cycle when the clock frequencyis 325 MHz can achieve 2.5 Gbps performance and when the frequency is625 MHz a 5 Gbps performance can be achieved. With the current siliconprocess technologies, 325 MHz or 625 MHz designs can be realized byfollowing well understood chip design processes as would be appreciatedby those with ordinary skill in the art. Further, when the PRISM symbolsize is selected as 2 characters wide (i.e. process 16-bits of inputsper clock cycle instead of 8-bits in the case above), doubling of theline rate performance to 10 Gbps is achieved as may be appreciated bythose with ordinary skill in the art. Coupling two 5 Gbps PSE to achieve10 Gbps per coupled PSE is also enabled in PRISM Memory Clusters underthe control of the Cluster search control, block 807, and ClusterAddress decode and FSA controller, block 802, discussed below. Thus eachPMC can readily enable 10 Gbps content search performance as discussedabove. For PRISM chip to be able to fully realize the content searchperformance of over 100 Gbps, PRISM chip is designed with multiple 10Gbps bus interfaces or higher line rate bus interfaces to be able tobring in the 100 Gbps of data or content or packet traffic to be able tokeep the PRISM search engines busy at their peak performance. Thusvarious blocks illustrated in FIG. 7 like the bus interface, 702, thePRISM controller, 703, Address decode and control logic, 704, the globalpriority encoder and evaluation processor, 713, and the like aredesigned to handle the appropriate traffic throughput as may beappreciated by one with ordinary skill in the art.

Further PRISM memory cluster array comprises of power control signalbuses, like 737(1) through 737(n), which may be used to control whichPMC or PMCs are operational when content for a specific type of trafficor flow or packet or the like is being examined. The power controlsignal buses 737(1) through 737(n), may optionally be coupled to theclocks or other control signals of all the PMCs and individually controlwhich PMCs are active and which PMCs are in a power down mode ofoperation. For example, if all PMCs in column 728(1) are programmed withrules to perform anti-spam regular expression searches, while PMCs inother columns are programmed for other applications like XML ruleprocessing or the like, then if a received packet or content is an emailthat needs to be examined against anti-spam rules, the PMCs in column728(1) can be turned active by the power control signals, 737(1) through737(n), however all the other PMCs can be turned to a power down mode bytheir respective control signals from the power control signal buses,737(1) through 737(n). Hence, while the email is being examined foranti-spam rules, all other PMCs do not use power and can significantlyreduce the power consumption of PRISM integrated circuit chip.

To operate the PRISM integrated circuit chip at the desired frequency,the right level of repeaters or buffers or the like may be used asappropriate for the silicon process technology used, the desiredoperating frequency as may be obvious to one with ordinary skill in theart. The clocks, power, reset, buffers, repeaters and the like needed todesign such a PRISM IC are not illustrated so as to not obscure theinvention and would be obvious to one with ordinary skill in the art.

FIG. 8 a illustrates PRISM Memory cluster block diagram. There may beoptions to have multiple content streams and hence multiple contexts mayoptionally be simultaneously operated upon in different memory FSAclusters, illustrated in FIG. 8 a. For clarity, PRISM Memory cluster,memory FSA cluster, a cluster, memory cluster and memory FSA cluster areused interchangeably in this patent. A given cluster and its associatedFSAs may also be able to support multiple content streams using thecontext information. When a new content stream starts getting processedby a FSA rule block or a cluster or the like, it may traverse throughvarious FSAs whose states may need to be saved, if the content stream isnot fully processed, when the same FSAs need to start processing anothercontent stream. The local context memory, block 812, or global contextmemory, block 712, or external memory (not illustrated) coupled toexternal memory controller, block 1221, or a combination thereof may beused to save the state of active FSAs for a given context before theFSAs are switched to operate on a different context. Further, the newcontext may have its saved context restored in the specific FSAs beforecontent from that context starts to be processed. The local contextmemory along with global context memory affords the benefit of very fastcontext switching for active contexts simultaneously across multipleclusters and FSAs without creating a context switch bottleneck. Thenumber of contexts being store locally per cluster and those storedglobally or externally is a function of the manufacturing cost and othertradeoffs which will be apparent to the one with ordinary skill in theart. Typically the amount of information that needs to be stored andretrieved per context may be limited to the NFAs that are in the processof recognizing a specific string defined by its regular expression. Ingeneral most NFAs may be continuously be starting to analyze the inputstreams from a start state if the strings being searched are not veryfrequent in the content being search. The FSA controller, block 802,coupled with blocks 704, and the local and global context memories andtheir respective memory controllers as well as the blocks 713 and 815,the local priority encoder and evaluation processor, takes the steps toperform the context switch if contexts are enabled before processing anew context.

The cluster address decode and FSA controller, block 802, may decodeincoming addresses for configuring, reading or writing from PRISM memorylocations or the like of the cluster PRISM array, block 808 which iscomprised of an array of PRISM NFA rule blocks illustrated above in FIG.6A and FIG. 6B, and also referred to as PRISM Search Engines (PSE),block 803, in this patent, and activates memory location's word lineand/or bit lines or other word lines or content lines or mask lines orthe like or a combination thereof, described below to read, write and/oraccess the specific PRISM memory location. There may optionally becluster specific bit line drivers and sense amplifiers, block 809, andbit line control logic, block 810, which may be used to read or writespecific bits in the PRISM cluster memory array, block 808. Thesecircuits are well understood by memory designers with ordinary skill inthe art. The sense amplifiers and drivers may optionally be present atthe global PRISM memory level illustrated in FIG. 7 depending on thetradeoffs of die area, performance, cost, power and the like which onewith ordinary skill in the art can easily appreciate. The benefit ofhaving local sense amps and drivers is potentially creating lowerinterconnect load for individual memory bits, which in turn can helpimprove the performance. Typically the block 802 may be operating duringthe configuration, context switching or other maintenance operationslike storing and retrieving specific NFA state information, orrefreshing specific PRISM FSA memory bits if appropriate and the like.Generally during content processing the block 802 may be dormant unlessthere is a match or an error or the like when it may start performingthe necessary tasks like communicating the match, action, policy, erroror the like to the PRISM controller, initiating context switching andthe like. The PRISM controller, block 703, coupled with the contentstream logic, block 708, content staging buffer, 709, address decode andcontrol logic, block 704, and the cluster FSA controllers, block 802,may present the content to be examined to the PRISM NFA rule blocks. Thecontent to be examined may be streamed by the block 708 from the databuffer or memory, 707, or from external memory, or a combination intothe content staging buffer. The content staging buffer, 709, is coupledto cluster search buffer, 806, and cluster search control, 807 to alignthe appropriate content to the clusters for searching. The contentstaging buffer may hold content from the same context or multiplecontexts depending on the configuration of the clusters and the like.The content is presented to the cluster PRISM array, 808, that comprisesof the PRISM NFA rule blocks for examination in a sequence timed using acontrol signal like a clock or enable or a combination. The NFA ruleblocks perform their inspection and indicate whether there is any rulematch or optionally if there is any CAM pattern match or optionally anytag match and the like. The match signals are looked at by cluster levellocal priority encoder and evaluation processor, block 815, which maydetermine if there is a match and if there are multiple matches whichmatch should be used, or all matches should be used or the likedepending on the configuration. This block 815, may be coupled to globalpriority encoder and evaluation processor, block 713, which may performa similar operation by examining match signals from multiple clusters.The local and global evaluation processors of these blocks mayoptionally generate address(es) for the winning match(es) to the globalaction memory or external memory or a combination that may storeappropriate action information that needs to be retrieved and processedto determine action(s) that need to be taken as a result of specificrule match(es). There may be optional cluster level action memory, notillustrated, for fast retrieval of action information. This clusterlevel action memory may act as a cache of the global and/or externalmemory based action storage. As described earlier the FSA controller,block 802, coupled with local context memory, block 812, its memorycontroller, block 813, along with the local and global evaluationprocessor and priority encoders coupled to global action and contextmemories, may be used to store and retrieve context information from andto configure the PRISM cluster arrays with appropriate FSA states.

FIG. 8 b illustrates PRISM Memory cluster detailed block diagram. Thisfigure illustrates more details of the PRISM memory cluster blockdiagram illustrated in FIG. 8 a and described above. The PRISM clusterscomprise of PRISM Search Engines (PSE), blocks 803, which comprise theright-biased or left-biased or a combination thereof NFA rule blockswhich may optionally be tagged as illustrated in FIG. 6A and FIG. 6B anddescribed above. The PSEs may optionally comprise row-wise, column-wiseor a combination there of or the like mechanisms described below toenable PRISM FSA extension and optionally allow creation of PRISM basedFSA rule groups. The FIG. 8 b illustrates the PSEs arranged in an arraywith ‘n’ rows and ‘m’ columns where ‘n’ and ‘m’ may be any integer valueand may depend on design, cost, process technology, performance, powerand other parameters that one with ordinary skill in the art willappreciate. One exemplary embodiment may comprise of ‘n=128’ and ‘m=8’providing 1024 PSEs per PRISM cluster. The PSEs may optionally compriseof mechanisms for extending the FSAs using methods described below. ThePSEs may comprise row-wise FSA extension, column-wise FSA extension or acombination thereof. The PSEs are coupled to each other and mayoptionally be coupled to the local priority encoder and evaluationprocessor, block 815, for row-wise FSA extension using one or moresignals, illustrated by lines 821(1) through 821(n). The PSEs may alsobe coupled to each other in a column-wise manner using one or moresignals represented as a group of lines, 820 (21) through 820(nm),coupling PSEs to their column-wise neighbors. Such signals may be usedto provide a column-wise FSA extension using mechanism and architecturedescribed below. The PRISM memory cluster priority encoder andevaluation processor, block 815, may further comprise configurablecontrols that would allow any group of extensible FSAs to be coupled toother groups of FSAs local to the PRISM memory cluster or inter-clusters(i.e. between multiple PRISM memory clusters) or a combination thereof.Cluster Address Decode and FSA Controller, block 802, provides controls,804(1) through 804(n) like wordline address and the like for each PSEand its internal memory elements like the SDV, Symbols and the likewhich are used to configure the PSEs with appropriate RE rules convertedor compiled in to programmable FSA data structures. It may also becoupled to the cluster search controller, block 807, and sense amps andread buffers, block 819. The cluster search controller may receive thebyte values to be configured into the PSEs and may comprise the bit linedrivers for the PSE memories. The sense amps and read buffers maycomprise the sense amplifiers and data read buffers to read and storethe information retrieved from the PSE array. Once the PRISM memoryclusters are configured with the RE rules, the content to be processedmay be presented to the cluster search controllers. The cluster searchcontroller, block 817, is coupled to the columns of PSEs using signals,822(1) through 822(m), that may comprise bit lines for each of the ‘m’columns of the PSE array. The cluster search controller may present thesame content symbols or characters or bytes or the like, to each columnof the array such that every FSA can process each incoming symbol and beevaluated simultaneously. However, if the PRISM cluster is configured tobe used as content addressable memory, the content search controller maypresent the content in chunks of ‘m’ symbols or chunks of two ‘m/2’symbols or the like to the PSE array. The PSEs provide the indication ofwhether a match with the programmed rule is detected or not or if a tagis matched or not or the like in a row-wise manner to the local priorityencoder and the evaluation processor, block 815, using the signals,811(1) through 811(n), that couple the PSEs in a row with the block 815.The local priority encoder and evaluation processor may receive thematch signals and based on optional policy programmed, provide thewinning match if multiple match signals are asserted simultaneously ormay record each match or a combination. It may also provide counters tokeep track of the specific location in the incoming content stream wherea match or a set of matches were generated. It may further provideactions associated to specific rules being activated and may comprise ofstopping the processing of the specific content flow, or content streamor content session or the like; or generating an alert or activating a.new rule group or stopping a certain rule group from furtherexamination or a combination there of or the like. It also communicateswith the global priority encoder and evaluation processor, 713, to takeappropriate actions similar to those described above. The content readinto the read buffers of block 819, may be coupled to the local clustercontext memory, 812, or global context memory, 712, or external memorycontroller, 721, through the signals 817, block 815, signal 814, signals711 and signals 715 for storage to the appropriate memory locationinternal to the PRISM chip or an external memory coupled to the block721 using the memory bus interface signals 720.

Each PSE of a PRISM memory cluster may be addressed using one PRISMMemory location or a set of PRISM memory locations or a combinationthereof. All internal memory elements of a PSE like the each statedependent symbol memory, mask vector memory, SDV memory, or theinitialization vector memory and the like may each be mapped asindividual memory locations in the PRISM memory address space or mayeach be addressable in a PSE address space once the PSE is selected froma PRISM memory address or the like as may be appreciated by one withordinary skill in the art. One preferred embodiment may comprise of 22PRISM Memory address bits where in the upper 17 address bits are used toselect a specific PSE in an embodiment with 128,000 PSEs and the lower 5address bits are used to select a specific memory element of theselected PSE as described above. Other variations of such an arrangementare within the scope and spirit of this invention as may be appreciatedby one with ordinary skill in the art. The number of address bitsallocated to select PSEs depends on the number of PSEs and the number ofaddress bits allocated to select memory elements of a PSE depend on thenumber of memory elements in one PSE, which may in turn depend on thenumber of states per PSE, FSA extension mechanisms per PSE, symbol sizeand the like as may be appreciated by one with ordinary skill in theart. Further, a specific PSE within a cluster may be addressed orselected by PRISM memory cluster row address and a column address whichwould be derived from the PSE address bits. One preferred embodiment ofPRISM memory with 128,000 PSEs may use 128 rows and 8 columns of PSEsper PRISM memory cluster, there by supporting 1024 PSEs per PRISM memorycluster. In such a PRISM memory embodiment, upper 7-bits of the 22-bitsfor PSE address may be allocated to select a specific PRISM memorycluster, and the next 10 bits of the PSE address may optionally be usedto select a specific PSE in a PRISM memory cluster while the lower 5bits may optionally be used to select a specific memory element of theselected PSE of the selected PRISM memory cluster. The 10-bit addressfor selecting a specific PSE of a PRISM memory cluster, may further beallocated such that upper 7-bits of that may be used as a PSE rowaddress selection and the remaining 3-bits of the address used as a PSEcolumn address selection. There are multiple other ways to perform theaddressing of PRISM memory as may be appreciated by one with ordinaryskill in the art and all such variations are within the spirit and scopeof the teachings of this invention.

FIG. 11 illustrates PRISM row-wise FSA extension. The figure illustratesPRISM Search Engines as FSA 1, 1101 (1), FSA 2, 1101(2) through FSA M,1101 (M), which may optionally be PSEs in a row of a PRISM cluster. TheFSAs are similar to those illustrated in FIG. 6A and FIG. 6B with someadditional blocks described below that enable the PRISM FSAs to becomeextensible. The State Blocks 1 through N, 1102 (1) through 1102 (N) aresimilar to state blocks 601, 602, 603 of the left-biased or right-biasedtagged NFAs or FSAs described above. The State Control and Match detectblocks, 1105(1) through 1105(N) and 1106(1) through 1106(N), are alsosimilar in functionality to state control, block 604, and match detect,block 613, described above for FIG. 6A and FIG. 6B, with some minoraddition to accept another term of partial state transition controlfeeding into the transition logic illustrated in block 507 a or 507 n orthe like. The additional state transition control is based on a globalstate transition described below. Row-wise FSA Extension architecture inPRISM comprises of a Global State Dependent Vector (GSDV), block 1103(1)through 1103 (N). It may optionally comprise of a Global Control Vector(GCV), blocks 1107 (1) through 1107 (N), and may optionally comprise ofa Global Transition Logic (GTL), blocks 1108(1) through 1108(N). Theymay optionally be coupled to the state transition logic of each FSAbeing extended using a Global Control Network (GCN) which may compriseof multiple circuits like those illustrated by blocks 1113, 1114, 1115,1116, 1121, 1122, 1123, 1124, 1104(1) through 1104 (N) per FSA block orthe like or a combination thereof. The GSDV may optionally be an N-bitVector, where each bit of the vector may enable a transition into thecorresponding state of the FSA. It is possible to restrict the number ofGlobal entry points into an FSA, in which case the GSDV may be a vectorwith fewer than N-bits corresponding to the states that may be enteredfrom other FSAs using the FSA extension mechanisms described in thispatent. Similarly GCV and GTL may also be N-bit vectors or vectors withfewer bits. The decision to use N-bits or less bits for these vectorsmay depend on the RE characteristics, application requirements, devicesize, implementation costs and the like as will be apparent to thosewith ordinary skill in the art. The GSDV and GCV vectors are memorylocations and realized using memory circuits similar to other memory bitvectors like SDV, Symbols, the mask vectors and the like of this patentas may be appreciated by one with ordinary skill in the art. Thespecific memory bits circuits are not illustrated to avoid obscuring theinvention. When a bit of GSDV is set to ‘1’ or an active state, theinput to the logic gate, like 1104 (1), from GSDV is set and would thenenable a transition to the corresponding state if symbol associated withthat state is received like RS11, and the state from another FSA thatcontrols the extended FSA state transition is set to ‘1’ or activestate. Descriptions below illustrate a few examples to clarify the GSDVcontrols. Thus the GSDV controls the transition into a particular stateof the associated FSA from another FSA. Similarly GCV, controls thetransition out of a specific state of an FSA to another FSA that iscoupled to it using the FSA extension mechanisms described in thispatent. When a GCV vector bit, like 1107 (1) is set to an active statelike ‘1’, and if the corresponding state, 1106(1) of the FSA, 1101(1) isset, then the GTL logic, 1108(1) would be activated. FIG. 11 illustratesa pre-charge and discharge circuit forming a wired-NOR logic between theGTL blocks of the FSAs coupled to form row-wise FSA extension. Forexample, the GTL blocks like 1108 (1) of each of the coupled FSA iscoupled to a precharge line like 1109, 1110, 1111, 1112 or the like,which are precharged by transistors like 1113, 1114, 1115, 1116 or thelike. When any of the GTL receives its inputs like 1125(1) and 1126(1)as active, it pulls the coupled precharge line 1109 to a low value. Whennone of the GTL outputs pull the precharge lines like 1109, they stay attheir precharged high value that has been precharged by thecorresponding precharge transistor like 1113. The output of theprecharged signals may optionally be buffered or inverted as illustratedby inverters Hike 1121, through 1124 which then drive those signals toall the FSAs coupled to the output signals, like 1117 through 1120, ofthe inverters with the corresponding FSA gates like, 1104(1) through1104 (N). Hence, when signal 1109 is pulled low, the output 1117 may bepulled high. Thus if the GSDV bit connected to the device, 1104(N) of anFSA is high and the received symbol is RSn1, the transition into thatstate is enabled. Although the figure illustrates the precharge signals,like 1109, to be coupled to inverters, like 1121, they may optionally becoupled to a multiplexer input, not illustrated, such that another inputof the multiplexer may be used to control whether the value on thesignals, like 1117, is from the local FSA group or from an input stateexternal to the FSA group, not illustrated. Such a multiplexer or otherlogic or a combination may be used to create a rule group transitioncontrol network, where a rule group may be enabled when another event isdetected by other PRISM FSAs or PRISM clusters.

FIG. 11A illustrates PRISM Rule Group FSA Extension. PRISM memory ofthis patent may optionally allow formation of a group of REs to betreated as a rule group, such that one group of REs may be enabled whenanother RE or RE group is evaluated to be active. This figureillustrates a mechanism to enable such rule group FSA extensions. TheRule group architecture leverages all the features of the Row-Wise FSAExtension logic described above, with a small modification, where theinverters, 1121 through 1124, are replaced by Rule Group TransitionLogic (RGTL), block 1128, which enables the transition to a set of FSAsfrom other Rows of PRISM cluster or other PRISM clusters. The Rule GroupFSA Extension architecture further comprises of Rule Group ControlVector (RCV), 1126, which may be an N-bit vector or the same width asthe width of the GTL of each FSA. When a bit of RCV is set, then thecorresponding output signal in the group, 1127, is set which in turn maylet the corresponding output signal, like 1117, of the RGTL block becoupled to a corresponding signal of External State Vector (ESV), line1125 instead of the Row-wise FSA Extension precharge signal, like 1109.The ESV bits may be state output from a group of rules within the PRISMCluster or another PRISM cluster. When such a group's state thatindicates a transition to another rule group is activated, the globalevaluation processor, block 713, or the local evaluation processor,block 815, or a combination couple that state signal to thecorresponding ESV bit which then enables the transition to the stateenabled by the output of the RGTL. Optionally the PRISM local evaluationprocessor, block 815, or global evaluation processor, block 713, orPRISM controller, block 703, may set the appropriate ESV bits to causethe rule group to be activated. ESVs for various rule groups may bememory mapped such that by writing to such an ESV memory location aspecific rule group may be activated. When a rule group transition likethe one described here is enabled, the corresponding Symbol detectioncould optionally be ignored by setting the mask bits for that specificsymbol, or the like, such that the rule group is activated once thecorresponding ESV bit is asserted. Another output of the RGTL, may beESV_out, signal 1129, which may be the outputs of this rule group thatcan be used to trigger transition into a state of another rule group.The ESV_out may be an N-bit or less vector as an output from RGTL whichmay optionally comprise an internal RCV_out vector, not illustrated,that may control which state bits are enabled on to ESV_out from thisrule group. The RGTL may comprise a simple multiplexer based logiccircuits, but may also comprise a mesh network connecting each prechargeinput or ESV input to the output or a combination there of or the like.

Although the description here and elsewhere within this patent may bewith regards to precharge circuits, it will be appreciated by those withordinary skill in the art, that other non-precharge circuits or logicmay be used to realize the same functionality and all such variationsare within the scope and spirit of the teachings of this patent.

FIG. 12 illustrates PRISM Row-wise FSA extension example #1. The FSAs inFIG. 12 are assumed to be four state FSAs. Thus if a RE has more thanfour states, it would not fit in a single FSA or PSE. In such a case FSAextension architecture and mechanisms described in this patent will needto be used. FIG. 12 illustrates a PRISM row with four FSAs, FSA1,through FSA4, blocks 1201(1) through 1201(4), each with four states thatcan be used to represent a 16-state RE ‘abcdefghijkLmnop’ using therow-wise FSA extension. In this example, the RE is a simple 16-characterstring which is split up into four chunks of four characters each by thecompiler and assigned each chunk to one of the FSAs. The states of eachFSA state bits are illustrated to represent a specific symbol orcharacter like 1202 (1) which is used to represent the statecorresponding to the symbol ‘a’. This state bit is set when the receivedinput symbol is an ‘a’. The value of the state bit is represented as thesymbol in the description below for ease of explanation and wouldotherwise be a logical value like ‘1’ or ‘0’ or the like. The symbol ‘a’is the start state indicated by the single circle around the symbol,1202(1). Thus when the input content has a symbol ‘a’ the RE rule or FSAstarts the evaluation of the content and enters the state ‘a’. Thefigure does not illustrate the SDV for each of the states and the FSAsto avoid obscuring the description of the FSA extension as may beappreciated by those with ordinary skill in the art. The SDVs, symbolsand other controls of the FSA 1, block 1201(1) are set such that thestate transition within the FSA progresses from a to b to c to d, if aseries of input symbols received is ‘abcd’. Similarly, for FSA 2, block1201 (2) through FSA 4, block 1201 (4) the internal transitions areimplied and not explicitly illustrated. The FSA extension is created bysetting the GSDV and GCV such that the sequence of states that areenabled detect the desired RE string ‘abcdefghijkLmnop’. The GCV vectorbit 4, 1203 (4) of FSA 1 is set to ‘1’ while its other bits are set to‘0’. Thus when the FSA 1 reaches the state ‘d’, block 1202 (4), the GTLbit 4, 1210, is pulled low, which indicates that the FSA 1 has reached astate that can now enable a transition to a state in another FSA. TheGSDV bit 1, block 1214, of FSA 2, block 1201 (2) is set to ‘1’ whichenables the transition into state ‘e’, block 1218, when the receivedsymbol is RS12 (‘e’) and the line 1204, coupled to the third input ofNAND gate, 1217, through the inverter coupled to 1204 is activated. Ifthe input string received so far is ‘abode’ then the state ‘e’ of FSA 2is activated. However, if the fifth character of the input string is notan ‘e’, the FSA 1 state ‘d’ is deactivated and thus even if thefollowing symbol i.e. the sixth symbol is an ‘e’, the FSA 2 state ‘e’ isnot activated. Assuming that the string received is ‘abode’, then thestate ‘e’ is activated. FSA 2 traverses through the states ‘fgh’ if thefollowing three symbols received are ‘fgh’. As may be noted in thisillustration, the states are not sequentially arranged, for example thestate ‘h’ appears as the third state, block 1208, instead of the fourthstate in FSA 2. To enable such organization of the states, the SDV ofthe state ‘h’ of FSA 2 is setup such that state ‘h’ is logically thefourth state that is entered after state ‘g’ is activated, where state‘g’ is the third logical state entered from state ‘f’, setup to dependon state ‘f’ in SDV of state ‘g’. Thus physical location of the symbolis not required to be in a sequential order because the state transitionin PRISM depends on the current state, the received symbol and the statedependent vector. Similarly, the state ‘h’ of FSA 2 is coupled to state‘i’ of FSA 3 using GCV bit 3, 1207, GTL bit 3, 1209, and signal 1205,coupled to the GSDV bit 2, 1215, coupled to the transition input gatefor the state ‘i’ of FSA 3, 1201 (3). Similarly the state ‘L’ of FSA 3is coupled to state ‘m’ of FSA 4 using the appropriate GCV and GSDV bitsas illustrated. When the state ‘p’ of FSA 4 is reached, the RE ismatched and the input string is recognized to be ‘abcdefghijkLmnop’. Thestate ‘p’ is marked as the accept state by the compiler, illustrated bydouble circles, 1219, such that accept vector of the FSA 4 is set as‘0100’, so that ‘p’ is the accept state. When the accept state ‘p’ isreached a match signal, like 609, of FSA 4 is asserted which is thenrecognized by the cluster priority encoder, block 815, and a RE match isflagged and appropriate action associated with this RE match taken orinitiated.

FIG. 13 illustrates PRISM Row-wise FSA Extension example #2. In thisillustration, similar to that in FIG. 12, the FSAs are assumed to befour state FSAs. However the regular expression rule to be evaluated is:(abc|defghi)+jkL, which recognizes a string of characters that containone or more occurrences of sequences ‘abc’ or ‘defghi’ followed by thesequence ‘jkL’. Note the one or more occurrences of sequence ‘abc’followed by ‘defghi’ which is followed by ‘jKL’ once or one or moreoccurrence of sequence ‘defghi’ followed by ‘abc’ which is followed by‘jKL’ may also be recognized by the regular expression. The expression(abc|defghi)+indicates that the terms ‘abc’ or ‘defghi’ may occur one ormore times or may occur one after the other one or more times. The FIG.13 illustrates how such a RE be evaluated using a Row-wise FSA extensionarchitecture and mechanisms of this patent. In this expression, wheneverthe states ‘c’ or ‘i’ are reached, the expression can start evaluatingat states ‘a’, ‘d’ or T, since they are all the follow states of thestates ‘c’ and T. To enable such a transition the compiler assigns GCVvectors of FSA 1 and FSA 3 to be ‘0001’, such that when state ‘c’ isreached, signal 1302 is coupled to precharged signal 1314, or when thestate ‘i’ is reached, signal 1304, is coupled to precharged signal 1316,which is coupled to line 1314. These outputs are then coupled to thestates ‘a’, ‘d’ and ‘j’ by the GSDV vectors for FSA 1, FSA 2 and FSA 4where the bits, 1305, 1308 and 1312 are each set to ‘1’ enabling atransition into the states ‘a’, ‘d’ and ‘j’ from the states ‘c’ or T.The expression ‘defghi’ is compiled to occupy two FSAs, FSA2 and FSA3,which are coupled by the GCV and GSDV bits that couple the output 1315from the state location ‘g’ of FSA 2 to input gate, 1310, whichtransitions into state ‘h’ when the received symbol is ‘h’ since theGSDV bit 2, block 1309, is set to ‘1’. When the FSA 4 reaches the stateL, which is marked as an accept state the FSA 4 asserts the match signallike 609, which is then recognized by the cluster priority encoder,block 815, and a RE match is flagged and appropriate action associatedwith this RE match taken or initiated.

FIG. 14 illustrates PRISM Column-wise FSA extension. The figureillustrates a group of four

FSAs on the left where each FSA is in one row. Each FSA is illustratedto comprise of eight states where each state and its state transitionlogic, match detection logic and the like is represented by a box each,like 1401(1) through 1401(8). The FSA state bits are illustrated to bealigned in columns labeled Bit 1 through Bit 8. Each state bit of an FSAis illustrated to be coupled to its neighbor using up and down controlswitches illustrated as lines 1403 (1), 1403 (2) and the like. Blocks1404 (1), 1404 (2), 1405 (1) and 1405 (2) illustrate FSA state bits 1and 2 of two FSAs, FSA 1 and FSA 2 illustrating the column-wise FSAextension architecture in detail and mechanism and do not illustrate allother components of PSE state like the RSV, SDV and the like. The statebits of adjoining FSA rows are coupled to transfer their stateinformation to the neighbor in a column-wise manner. FSA bits 1 areillustrated to transfer the state information in the down direction fromblock 1404 (1) to block 1404 (2), while the FSA bits 2 are illustratedto transfer the state information in the up direction from block 1405(2) to block 1405 (1). Each FSA state bit may comprise of both up anddown transfer mechanisms or they may be alternating as illustrated inthis figure or there may be other pattern like skipping one state bit totransfer the states or the like and all such variations are covered bythis patent as may be appreciated by one with ordinary skill in the art.The illustrated column-wise FSA extension logic enables each bit toaccept an incoming state, and originate the transfer of its state to thenext neighbor. The column-wise FSA extension comprises a Forwardingvector (FV) which comprises of bits like FV11 of block 1404 (1). It mayfurther comprise of local forwarding vector (LV) which comprises of bitslike LV11. It may further comprise of circuits that allow the state bitsto be merged and forwarded down or up or a combination thereof usinggates like 1406, 1407 and 1408 that form an AND-OR logic functionbetween the inputs, such that if FV11 is set to ‘1’ and LV11 is set to‘0’, then signal GD11 of block 1404 (1) is coupled to output of gate1408, onto the signal GD21 of block 1404 (2). Similarly, if FV11 is setto a ‘0’ and LV11 is set to a ‘1’, then the state Q11 of the FSA bit 1,block 1404 (1) is coupled to the signal GD21. Further, the gate 1409,may enable the transition into the state bit 1, if UC11 is set to ‘1’and the received symbol is RS11 when GD11 is ‘set’. The Up ControlVector (UC), comprises of control bits like UC11 per FSA state bit, andenables that particular state bit to accept a transition into that stateif the UC bit is set enabling FSA extension from another FSA. Similarly,the logic gates 1410, 1411, 1412 and 1413, coupled to the FV, LV and UCbits FV21, LV21 and UC21 respectively enable the column-wise FSAextension into and out of state bit 1 of FSA 2. The FV and LV vectorsare not required to be mutually exclusive. Hence, an FSA state bit mayaccept an incoming state and allow the same state to be forwarded if FVand UC bits are set to ‘1’. It is also optionally feasible to merge thestate bit output of the current bit to the incoming state bit, bysetting both FV and LV vector bits to ‘1’. In such a case the forwardedoutput state is a ‘1’ when either the incoming state bit is a ‘1’ or thelocal state bit is a ‘1’ or both. The FSA bits 2, illustrate a verysimilar mechanism as the one described above to transfer the state inthe opposite direction. The upwards FSA column-wise extension mechanismmay comprise of Forwarding Vector-Up (UV), Local Forwarding Vector-Up(LUV), Down Control Vector (DC) and may further comprise of the logiclike gates 1418, 1419, 1420, 1421 and the like that enable the transferof a local state like Q22, upwards as well as forward an incoming state,like GUP22, upwards, coupling to output GUP12, a well as accept anincoming state, GUP22, from a lower FSA to enable transition to itsstate bit by coupling through a gate like 1418 and the like. Again theLUV, UV and DC are not required to be mutually exclusive. The FV, LV,UC, UV, LUV, DC bits may each be setup as memory locations that getprogrammed like other control vectors for example the SDV, Symbols, maskvectors and the like. The memory circuits for these bits are notillustrated to not obscure the invention and are similar to any othermemory bits of PRISM as may be appreciated by one with ordinary skill inthe art.

FIG. 15 illustrates PRISM FSA Extension Example #1. This figureillustrates a Column-Wise Extension on the left and it also illustratesRow-Wise and Column-Wise Extension on the right. These figuresillustrate PSE comprised of 8 states per FSA. The figures illustrate howfour regular expressions may be programmed in PRISM using the FSAextension architecture and mechanism of this patent. Block 1501,illustrates how a regular expression RE1: (abc|defghi)+jkL may beprogrammed using the column-wise FSA extension. Each box like 1513represents an FSA state bit and all the other associated circuits,similar to block 614 with circuits for FSA extensions described aboveadded, and is labeled with the state that it represents using the statescorresponding symbol like ‘a’. Block 1504, illustrates how a regularexpression RE2: ‘abcdefghijkLmnop’ may be programmed using thecolumn-wise FSA extension. The figure does not illustrate the GSDV, GCV,SDV and the like vector bits being setup to simplify the illustrationand description, but are implied to be setup properly by the PRISMsearch compiler to enable the right transitions between multiple states.Further, the figures illustrating RE examples in this patent, localstate transitions within an FSA are implied to exist and properprogramming generated by the compiler but are not illustrated to notobscure the figures. The arrows in the figure, like 1508 and 1507 areused to indicate inter-FSA transitions enabled using the FSA extensionmechanisms of this patent. The RE1 is programmed to include two terms‘abc’ and ‘jkL’ of the RE1 in the FSA in Row1. However, the term‘defghi’ is programmed using the column-wise FSA extension mechanismsdescribed above and is distributed between FSAs in Row 1 and Row 2. Forinstance, the state ‘d’ is assigned to Row1 and column B3, block 1514.The local vector of this state bit is set to ‘1’. Thus when the state‘d’ is activated the output from B3 Row1 to B3 Row 2, arrow 1508, isactivated. The UC vector bit 3 for the Row 2 state bit 3 is set to a ‘1’which enables the transition into state ‘e’, Row 2 column B3, if thereceived symbol is ‘e’. Thus if the input content is ‘de’, then thedownward transition, arrow 1508, will be taken and the FSA in Row 2 willbe in state ‘e’. However, if the second symbol is not an ‘e’, then thestate ‘e’ is not activated. The states of FSA in Row 2 are programmedsuch that they transition from ‘e’ to ‘f’ to ‘g’ to ‘h’ when a sequenceof ‘efgh’ is received after a symbol ‘d’. When FSA 2 reaches state ‘h’,the upward state forwarding mechanism between Row2 column B8 and Row1column B8 is activated and the FSA in Row 1 will reach the state ‘i’ ifthe next symbol received is ‘i’. For the upward transition, the localforwarding vector-up (LUV) bit for Row 2 column B8 is set to ‘1’ and thedown control vector (DC) bit for Row1 column B8 is set to ‘1’, whichenable the transition from Row2 FSA state ‘h’ to Row1 FSA state ‘i’.When the state ‘c’ or ‘i’ of Row 1 is active, then the following statesthat the FSA may enter as per the RE1 are ‘a’, ‘d’ or ‘j’ depending onthe received input symbol and so the SDV vectors for those states areset up to transition from the states ‘c’ or T. When the Row 1 FSAreaches state ‘L’, which is programmed as an accept state, the RE1 isactivated and the input string recognized by this RE has been receivedon the input. A match signal like 609 from this FSA is activated andsend to the cluster priority encoder and evaluation processor whichtakes appropriate action based on this regular expression match. Block1504, illustrates a regular expression RE2: ‘abcdefghijkLmnop’programmed using the column-wise FSA extension mechanisms of thispatent. The state ‘a’ which is the start state, block 1512, is assignedto Row 4 and column B1 and other seven states are assigned in the otherstate bit slice columns of FSA 4. Then the state ‘h’ is coupled to state‘i’ of Row3 column B8 using the up column-wise FSA extension similar toblock 1501 described above. As may be noticed the states ‘jkLmnop’ areassigned in a reverse order in Row3, though as discussed above the stateassignment order is not critical in PRISM, since the state transitioncontrols like SDV are set properly to follow the correct transitions.Thus for the Row 3, the FSA states are programmed to transition in theorder ‘ijkLmnop’, if a string corresponding to that sequence is receivedafter ‘abcdefgh’. When the state ‘p’, 1511 is reached, the RE2 ismatched and the match signal for this RE is asserted to the clusterlocal priority encoder and evaluation processor, block 815, which takesappropriate actions that are programmed based on activation of RE2.

Blocks 1502, 1505, 1503 and 1506 illustrate the programming of RE1[(abc|defghi)+jkL], RE2 [abcdefghijkLmnop], RE3 [(xyz|defghi)+jkL] andRE4 [xyzdefghijkLmnop] respectively using the Row-wise and Column-wiseFSA extension mechanisms of this patent. The block 1502, column 1, Row 1FSA, programs the terms ‘abc; and ‘jkL’ of RE1 where as the term‘defghi’ is programmed in the column 2, Row 1 FSA. The Row-wiseextension architecture and mechanisms described above and illustrated inFIG. 11 is used here except that the width of each FSA is ‘8’ states. Inan exemplary 8-state FSA based FSA extension, there may be eightprecharge lines like 1109, 1110 and the like which may each be activatedby the corresponding state bit of the coupled FSAs which may provide agreater freedom for coupling various state terms of a large FSA. Thetransitions 1520 and 1519, take the FSA from one FSA to the next FSA asper the regular expression state transitions. Local state transitionswithin an FSA are not illustrated as described above. Thus when the FSAreaches state ‘c’, it may enable local transitions into states ‘a’ and‘j’ and enable an inter-FSA transition 1520 into state ‘d’. Similarlythe state ‘i’ may enable a local transition within that FSA to state ‘d’and enable an inter-FSA transition 1519 to states ‘a’ and ‘j’ of Column1Row1 FSA. When the accept state ‘L’ is reached the match signal for theassociated FSA is asserted and the cluster priority encoder andevaluation processor, block 815, takes the appropriate action that isprogrammed.

The compiler may assign various FSA states to appropriate state bitslices like 614 depending on the row-wise coupling architecture whichmay be different than that illustrated in FIG. 11 as may be appreciatedby one with ordinary skill in the art and such variations are within thescope this invention. For instance instead of coupling precharge line1109 to line 1117, another scheme could couple it to a signal like 1118,1119 or 1120 or the like and any such variations are covered within thescope of this invention.

Block 1503, illustrates RE3 to be programmed using the column-wise FSAextension. The compiler may assign different terms of the RE toappropriate state bit slices of the FSAs to enable the transitionsrequired to complete the correct RE state transitions between variousterms of the RE, and may optionally do it based on the available FSAstate bits and the like. For instance, in this assignment, the term‘defghi’ is assigned to Row 3, Column1 FSA, where the state ‘d’ isassigned to B3, which aligns directly below state ‘z’ of the term ‘xyz’assigned to Row 2, Column1 FSA. This enables the column-wise statetransition between these two terms of the regular expression when state‘z’ is reached and the RE needs to transition to state ‘d’ based on thenext received input symbol. One salient point to notice, is that thestate ‘i’ of Row 3 Column1 is aligned with the accept state ‘L’ in B8 ofRow2. This would prevent a required transition from state ‘i’ to states‘x’ or state ‘j’ of the RE using column-wise transition. This is avoidedby creating a duplicate state ‘i’ in FSA in Row 2 Column1, B7, which isentered from state ‘h’ in Row3 Column1. Thus the column-wise FSAextension architecture enables the state ‘i’ to be reached in FSA inRow2 B7. Both states ‘i’ in both FSAs would be active simultaneouslywhen a symbol ‘i’ is received following a string ‘defgh’. The state ‘i’in Row 2 is then locally enabled to cause transitions into states ‘x’ orstates ‘j’ of the follow states as per the RE, where as the state ‘i’ inRow3 is enabled to cause a local transition to state ‘d’ in Row3 whichis also required to be taken as per the regular expression. Thus, thePRISM compiler has freedom to align various RE terms to effect theproper transitions by duplicating the same state in multiple FSA bitsand FSAs. When the accept state ‘L’ is reached the match signal for theassociated FSA is asserted and the cluster priority encoder andevaluation processor, block 815, takes the appropriate action that isprogrammed.

Block 1506, illustrates RE4 to be programmed using column-wise FSAextension as well, where the freedom of assignments of various states tothe compiler are illustrated using assignments between two rows of theColumn 2 FSAs where multiple transitions are illustrated between variousstate bits distributed between the two FSAs.

FIG. 16 a illustrates column-wise PRISM FSA extension example. In thisexample, a RE: ‘(abc|defghi|Lmnopqrstuv)+jkL’ is illustrated to beprogrammed using column-wise FSA extension architecture. The RE spansacross four rows of FSAs in one column of PRISM memory cluster array.The PRISM compiler selects to program each of the first three termsstarting at B1 location of the first three rows, for example state ‘a’is assigned to block 1601, state ‘d’ is assigned to block 1602, and thestate ‘L’ is assigned to block 1603. The compiler then tries to assignall the states of the specific term within the same FSA if they fit,otherwise it uses neighboring FSAs to assign the remaining states of theterm for example it splits the term ‘Lmnopqrstuv’ in Row 3 and Row 4.The compiler triplicates state ‘c’, block 1608, 1606 and 1607, to enablethe required transition from state ‘c’ into its various follow stateslike state ‘a’, ‘d’, ‘L’ or ‘j’. Similarly state ‘i’ is also repeatedthree times and state ‘v’ is repeated two times, block 1614 and 1615, toenable appropriate transitions required by the RE. The appropriate FV,LV, UV, LUV, DC and UC vector bits are set to enable the right statetransitions required by the RE terms as assigned to the group of fourFSAs by the compiler. The transition 1610 and 1612, illustrate acomposite transition, where both LUV and UV for state ‘i’ in Row2, B7are set to ‘1’, enabling the state transition from state ‘v’, 1615 tostate ‘j’ as well as transition from state ‘i’ to state ‘j’. However,the DC vector bit for the state ‘i’ is set to ‘0’ to prevent state ‘v’from causing a transition into state ‘i’ when the inputs received are a‘v’ followed by an ‘i’. When the accept state ‘L’, Row 1, B5 is reachedthe match signal for FSA in Row1 is asserted and the cluster priorityencoder and evaluation processor, block 815, takes the appropriateaction that is programmed.

FIG. 16 b illustrates Row-wise and column-wise PRISM FSA extensionexample. In this example, a RE: ‘(abc|defghi|Lmnopqrstuv)+jkL’ isillustrated to be programmed using column-wise and row-wise FSAextension architectures together. In this illustration the compiler usesthree columns of FSAs of one row of FSAs or PSEs, blocks 803, of thePRISM memory cluster, block 808, to program various terms of the RE anduses Row 2 of column 3 for a few states of one term. The FSAs in Row1are coupled to each other using the row-wise FSA extension mechanisms,where as the column 3 Rows 1 and Row 2 FSAs are coupled using thecolumn-wise FSA extension architecture. The states ‘u’ is duplicated,block 1627 and 1628, and the state ‘v’ is also duplicated, block 1619 an1623 to enable the right transitions between various states and terms ofthe RE. The term ‘abc’ and ‘jkL’ are assigned to FSA in Row 1 inColumn1, where as the term ‘defghi’ is assigned to Row 1 in Column 2.and the term ‘Lmnopqrstuv’ is assigned to Column 3 FSAs in Rows 1 andRows 2. The transition 1629, enables the FSA to go from state ‘q’ tostate ‘r’ using the column-wise transition, as well as the transitionsfrom duplicated states ‘u’, 1627 and 1628, to duplicated states ‘v’,states 1619 and 1623, respectively are also enabled using column-wisetransition. The transition 1620, enables transition from state ‘c’,state ‘v’ and state ‘i’ to states ‘d’ or state ‘L’, while the transition1624, enables the state transition from states ‘v’ and ‘i’ to states ‘a’or T. Transitions within an FSA are not illustrated to not complicatethe figure but are implied and properly programmed by the PRISMcompiler. When the accept state ‘L’, Row 1, Column 1 is reached thematch signal for FSA in Row1 is asserted and the cluster priorityencoder and evaluation processor, block 815, takes the appropriateaction that is programmed.

In one exemplary embodiment, there may be column-wise FSA extensionenabled between each group of four PRISM Memory cluster PSE rows, andthe row-wise extension may be enabled between each of those rows andeight columns of PSEs. If a regular expression needs more states thanthe states enabled by such a large group of FSAs, such an RE mayoptionally be split into multiple FSAs or may optionally use rule groupFSA extension architecture and mechanisms illustrated in FIG. 11A anddescribed above. Thus by using the column-wise and row-wise FSAextensions of this patent any arbitrary FSA may be represented withinPRISM, even when the individual PSE may support lot fewer FSA states asillustrated above.

As discussed above, modern programming languages and operating systemssupport a range or interval mechanism for regular expression symbols.For example if in a regular expression the symbol ‘a’ appears 5consecutive times, then it may be possible to represent that as ‘a[5]’instead of ‘aaaaa’. In general such expressions can be ‘a[x,y]’, whichmeans symbol ‘a’ must appear in the expression from ‘x’ to ‘y’ times or‘a[x,]’ which means the symbol ‘a’ must appear at least ‘x’ times forthis expression to be valid or ‘a[x]’ which means the symbol ‘a’ mustappear exactly ‘x’ times for this expression to be valid or the like.Such symbols represented with the interval for example ‘a[x,y]’ where xand y are integers and x is equal to or less than y, are referred to asthe interval symbol in this patent. One way to support regularexpressions with interval symbols is by fully expanding the interval andrepeating the symbol to which the interval applies. This can be a veryinefficient way of implementing such an expression in hardware. There isa need to represent such regular expressions in a compact manner tobetter utilize the integrated circuit chip area. My invention alsodescribes an architecture that enables the creation of such complexregular expressions with interval representation in an efficient waywithout using up a large number of states for the interval range from‘x’ to ‘y’.

FIG. 17A illustrates a PRISM FSA without Interval Symbol. The regularexpression ‘ba[3,5]c’ is represented by the FSA illustrated in thisfigure. In this figure the regular expression is expanded to a form like‘baaac|baaaac|baaaaac’ where each term of this expanded regularexpression includes exactly 3 or 4 or 5 occurrences of symbol ‘a’ inbetween the symbols ‘b’ and ‘c’ to cover each of the three possibilitiesdefined by the regular expression ‘ba[3,5]c’. The figure illustratesthat the FSA would transition from start state 0, 1701, through acceptstate 7, 1708, only when one of the three sequences, ‘baaac’ or ‘baaaac’or ‘baaaaac’, of symbols is received. If at any stage during the statetransitions, if an input symbol is received which is not part of thisregular expression, the FSA would transition to an error state, notillustrated, or to the start state without indicating a match. Only whenthe input content contains one of the three sequences above, is a matchindicated. Thus for example if the input sequence is ‘baaac’, the FSAwill transition from the start state 0, 1701, to state 1, 1702, to state2, 1703, to state 3, 1704, to state 4, 1705 to state 7, 1708, where eachtransition from one state to the other is taken on the input symbollabeled on the edge connecting the two states. For example thetransition from state 0 to state 1 is taken when the input symbolreceived is ‘b’. States 5, 1706 or state 6, 1707 or combination areentered when the input sequence has 4 or 5 symbol ‘a’ in a sequencebetween the symbols ‘b’ and ‘c’.

Such an FSA when implemented in PRISM search engines, can use upprecious resources for the same symbol, in this case ‘a’, to facilitatethe state transitions. This would be a very inefficient utilization ofPRISM search engine resources particularly if the interval is wider orthe number of symbol repetitions being expected is big. For example ifthe expression is ‘ba[3,17]c’, or ‘ba[25]c’ or the like, then PRISM FSArepresentation using the fully expanded regular expression asillustrated in FIG. 17A will be very inefficient.

FIG. 17B illustrates PRISM FSA with Interval Symbol. The figureillustrates a state ‘Cnt’, 1709, which acts as an interval symbol state,where an interval counter associated with this state is incremented eachtime the state is reached. Whenever the input sequence of the inputsymbol or symbols leading the transition into the interval symbol stateis broken, the interval counter resets to zero or a predefined count.The state 3, 1710, is entered only if the interval symbol state ‘Cnt’.1709, indicates that a valid sequence of the symbols of interest, inthis case symbol ‘a’, have been received and the new symbol is the oneleading the transition into the state, in this case symbol ‘c’. Thus thetransition from state ‘Cnt’, 1709 to state 3, 1710, is taken only whenthe received input symbol is a ‘c’ and the counter associated with theinterval symbol state ‘Cnt’, 1709, is either 3, 4 or 5 as required bythe interval symbol based regular expression ‘ba[3,5]c’. Similarly,other interval based regular expressions covering the conditions like‘a[x,y]’ or ‘a[x]’ or ‘a[x,]’ or the like may all be constructed usingthe PRISM FSA with interval symbol mechanism illustrated in FIG. 17B, byadjusting the interval counter condition as required by the regularexpression as may be appreciated by one with ordinary skill in the art.

FIG. 17C illustrates PRISM FSA Interval Symbol State Counter Block. Thefigure illustrates an interval symbol state, Q₁, 1718(1), which isentered when the received symbol ‘IRS1’, 1725(1), is active and the FSAis in a state Q₁, 1718(1), through Q_(n), 1718(n), whose associatedstate dependent vector bit V₁₁ through V_(n1) is enabled, which enablestransition from that state into state Q₁, 1718(1) coupled by the NANDgates 1712(1) through 1712(n) and 1713(1) through the signal, 1716. Whenthe signal 1716 is asserted it acts as an increment input to an m-bitinterval counter, 1719, referred to as the interval counter above, whichis associated with the interval symbol state Q₁, 1718(1). The intervalcounter, 1719, is incremented in each clock cycle indicated by the clocksignal, 1728, when the increment signal, 1716, into the interval counter1719, is also asserted. Any clock cycle when the signal 1716 is notasserted, the output of the inverter device, 1715, is asserted and thissignal acts as a reset signal to reset or preset the m-bit counter tozero or other pre-defined value. Thus, once the interval symbol stateQ₁, 1718(1) is entered and the input symbol stream continues to have thesymbol RS1, the state Q₁, 1718(1) stays active, when the state dependentvector bit V₁₁, 1731, is enabled. The interval counter, 1719, thuscounts a sequence of the received symbol RS1 until the sequence isbroken by a different input symbol. The count output of the intervalcounter is illustrated to be provided as input 1726, to the CSL (m-bit)block 1721 and as input 1727 to the CSH (m-bit), block 1722. The blocksCSL, 1721 and CSH, 1722 are interval symbol state low count limit andinterval symbol state high count limit programmable comparatorsrespectively. Thus to represent a regular expression with intervalsymbol ‘a[x,y]’, where ‘a’ is RS1, the memory value for the lower limitfor the interval comparison in CSL, 1721, is programmed with value of‘x’ and memory value for the upper limit for the interval comparison inCSH, 1722, is programmed with value of ‘y’. Now when the count of theinterval counter, 1719, provided to CSL, 1721, on the input signal 1726,reaches a value of ‘x’ or higher, the signal 1729 output from CSL block,1721 is asserted. Similarly, as long as the count value of the counter,1719, is equal to or less than ‘y’, the signal 1730 output from CSHblock, 1722 is asserted. The Count Memory and Transition detection block1723, detects when both 1729 and 1730 are asserted which indicates thatthe interval symbol state is active and the symbol sequence is withinthe interval of ‘x’ through ‘y’. The block 1723 asserts the outputsignal CntV1, 1720, to indicate that the interval symbol state hasreached its interval range specified by the regular expression. Thus anystate of the FSA that dependents on such condition to be valid may beactivated if the symbol after the sequence is the one leading thetransition to that state. The count memory and transition detectionblock, 1723, holds a programmable operation mode memory value thatenables it to decide which type of the interval symbol is beingprogrammed for this regular expression from a set of interval symbolslike ‘a[x,y]’ or ‘a[x]’ or ‘a[x,]’ or the like. When an exact count isexpected, then both CSL and CSH may be programmed with the same intervalvalue ‘x’. For this condition the detection circuits in block 1723,would be activated only when both signals 1729 and 1730 are asserted andwould assert the signal CntV1, 1720. Similarly, if the interval symbolprogrammed is like ‘a[x,]’, then the detection circuits will detectwhenever the signal 1729 is asserted, and assert the signal CntV1, 1720.There are multiple ways of realizing the interval symbol statefunctionality as may be appreciated by one with ordinary skill in theart and hence all such variations or realizations are within the scopeand spirit of the teachings of this invention. The m-bit intervalcounter, CSL, CSH, and the count Memory and transition detection logicand the associated logic described above form interval symbol counterblock 1732.

The state transition circuits of the PRSIM FSA are augmented to accountfor the interval symbol state as illustrated in FIG. 17C. The figureillustrates an n-bit interval symbol control vector (ISCV) ‘C1’, 1724(1)through ‘Cn’, 1724(n). This ISCV control vector can be of a differentwidth as well as may be appreciated by one with ordinary skill in theart if the number of states that the interval symbol state cantransition to is different than ‘n’. The interval symbol control vectorbits C1 through Cn are programmable and may be realized as a location inPRISM FSA memory space. The ISCV vector may also be realized as aregister or any other storage mechanism. The state that depends on theinterval symbol state to be valid before it is entered would have itsappropriate interval symbol control vector bit set. The NAND gates 1714(1) through 1714(n), couple the interval symbol state valid signal,CntV1, 1720 to the appropriate state when the corresponding intervalsymbol vector bit C1 through Cn is active and the received symbol is theone associated with the state. For instance, if the regular expression‘a[3,5]c’ needs to be represented using the Interval Symbol State logicillustrated in the FIG. 17C, the compiler for the PRISM FSA may assignsymbol ‘a’ to RS1, assign ‘3’ to CSL, 1721, assign ‘5’ to CSH, 1722, setstate dependent vector bit V₁₁ to ‘1’, assign symbol ‘c’ to RSn, assignthe appropriate range selection in the count memory and transitiondetection block, 1723 and assign interval symbol control vector bit Cn,1724(n) to ‘1’ along with all the other programmable state dependentvector bits and other PRISM symbol bits and the like are also setupappropriately. When the state Q1 is entered on the receipt of the symbol‘a’, (assuming that the previous FSA state from which this transitionoccurs is valid or this is a start state or the like), the counter,1719, starts counting the number of times the symbol ‘a’ has beenreceived in a sequence. When symbol ‘a’ is received 3 to 5 times, theoutput signals 1729 and 1730 are both asserted which is then detected bythe block 1723 to indicate that the interval symbol state has matchedthe symbol ‘a’ in a sequence of 3 to 5 times, by asserting the signalCntV1, 1720. When the next symbol received is a ‘c’, the gate 1714 (n),has all its inputs, Cn, CntV1 and RSn, asserted which then couples a ‘1’to the state Qn which corresponds to the state for the symbol ‘c’ of theregular expression ‘a[3,5]c’. If this state is an accept state and theappropriate accept state vector is set for the PRISM FSA as describedabove, then a regular expression match is flagged.

FIG. 18A illustrates State transition logic (STL) for a state in PRISMwith interval symbol. The state transition logic for a state that can beentered when an interval symbol is recognized by the PRISM FSA is verysimilar to the state transition logic for a state in PRISM asillustrated in FIG. 4A with a few differences as described below. Thestate transition logic of a state of PRISM without support for aninterval symbol as illustrated in FIG. 4A is augmented with a logicfunction gate, 1807, as illustrated in FIG. 18A. The logic gate 1807,coupled with logic gate 1808, couple the interval symbol state signal,CntV1 into the state transition logic of a PRISM state, creating a statetransition logic for a state in PRISM with support for interval symbol.The inputs to the logic gate 1807, are one of the received symbol signal‘RS1’ through ‘RSn’ modified with the left biased or right-biasedsignal, LB/RB#, the interval symbol state valid signal, CntV1, same assignal 1720, and one of the interval symbol control vector bit ‘C1’through ‘Cn’, same as signals 1724(1) through 1724(n). The index ‘n’would correspond to the state index of the FSA. If the interval symbolcontrol vector bit, C1 in this illustration, is ‘1’, then if theinterval symbol state indicates that a valid sequence is detected byasserting the signal CntV1, then if the next input symbol is ‘RS1’, thenthe state Q1 is asserted, meaning the FSA enters the next state thatfollows the interval symbol state. Multiple states of the PRISM FSA canbe entered from an interval symbol state if each of those states havetheir associated interval symbol control vector bit set and the symbolrequired to transition in that state is received immediately followingthe interval symbol recognizes its sequence from the input symbols.

FIG. 18B illustrates a state logic block for a state in PRISM withinterval symbol. The figure illustrates how various interval symbolstate capabilities illustrated in FIG. 17C, may be coupled in a statelogic block of a state in PRISM as illustrated in FIG. 4B. If the stateis an interval symbol state, the output signal N1, 1716 is used as anincrement to the interval counter in the interval counter block, 1732,associated with this state. For all states that depend on the intervalsymbol state to match the sequence, a signal CntV1, 1720, generated bythe interval counter block, 1732, is used as an input to the statetransition logic as illustrated in FIG. 18A and is coupled to a bit ofthe ISCV bit like C1 through Cn, corresponding to the state of the FSA.Thus the state logic block of a state in PRISM is augmented to supporttransitions from interval symbol states as described above for the FIGS.17A, 17B, 17C, 18A, 18B, 4A and 4B.

FIG. 19 illustrates PRISM Search Engine with Interval Symbol. Thisfigure illustrates a left-biased Tagged NFA rule block in PRISM asillustrated in FIG. 6B coupled to interval symbol logic, 1914, thatenables the creation of a PRISM Search Engine that supports intervalsymbol. Even though the illustration is with a left biased NFA, one withordinary skill in the art will appreciate that similar functionality canbe achieved with a right biased NFA as illustrated in FIG. 6A and suchusage is within the scope and spirit of this invention. This figure doesnot illustrate the details of state block 1, as illustrated in FIG. 6B.The PRISM Search Engine with interval symbol comprises of a counter,block 1901, which includes an m-bit interval counter, like 1719. Theinverter, 1715, is not illustrated in this figure, but may either bepart of the counter block 1901 or may be provided by another block. ThePRISM search engine further comprises a count low evaluation memory,1903, which is similar to CSL, block 1721, which holds a memory valuefor the low limit of the interval symbol and compares the output of thecounter, 1901, with the value programmed in its memory. When the countervalue is equal to or greater than the value programmed in the count lowevaluation memory location the output signal 1913, like signal 1729, isasserted. The PRISM search engine further comprises a count highevaluation memory, 1905, which is similar to CSH block 1722, which holdsa memory value for the high limit of the interval symbol and in thisillustration may also comprise of the functionality of the count memoryand transition detection block, 1723, and compares the output of thecounter, 1901, with the value programmed in its memory. When the countervalue is less than or equal to the value programmed in the count highevaluation memory location, an internal signal like 1730 not illustratedin this figure would be asserted. The count memory and transition blockfunctionality, like block 1723, provided by the count high evaluationmemory block couples this internal signal with the signal 1913 andgenerates the output signal 1915 of this block depending on the mode ortype of the interval symbol programmed in this block as described abovefor block 1723. The output signal 1915 provides functionality similar tosignal CntV1, 1720. The PRISM search engine further comprises aninterval symbol control vector memory block 1906, which holds the ISCVvalue that is programmed for the specific interval symbol based regularexpression being programmed in the PRISM search engine. The outputs ofISCV are the vector bits, C1 through Cn, 1724(1) through 1724(n) whichare coupled to the state transition logic per state of the PRISM FSA.The PRISM search engine with interval symbol further comprises anInterval partial state logic block 1908, which couples the ISCV vectorbits, C1 through Cn, with CntV1, signal 1915, and the RS1 through RSn.The block 1908 essentially implements the functionality similar to thelogic gates, 1714(1) through 1714(n). The output bits of the intervalpartial state are coupled to the final state evaluation block 1909,which merges the interval symbol state count transition events withother FSA partial state transition events providing functionalitysimilar to logic gate 507 illustrated in FIG. 5 a. The interval counterhas been described as an m-bit counter in the description above tohighlight the difference that the counter width is not required to bethe same as the number of states ‘n’ of the PRISM FSA. The counter widthmay be the same as the number of FSA states or lower or higher. In onepreferred embodiment there may be the same number of bits in the counteras the number of states of the FSA i.e. m=n. In one other embodiment mmay be half the number of states of the FSA. In such an embodiment,there may be two interval counters each with a width of half the numberof states of the FSA and coupled to two different states of the FSA toreceive their increment signal like 1716. In such an embodiment, theassociated CSL, CSH and other interval symbol logic circuits would alsobe matched in width to the width of the counters and would also bepresent in two sets. Similarly each FSA state may be able to receivetransition from either of the interval symbol states or may each becoupled to only one or the other interval symbol and the interval symbolcontrol vector implemented appropriately as may be appreciated by onewith ordinary skill in the art. The functionality of the rest of thePRISM search engine elements illustrated in the FIG. 19 are similar tocorresponding elements illustrated in FIGS. 5 a, 5 b, 6 a left-biased orright biased FSA realization.

All the memory blocks like count low evaluation memory, the count highevaluation memory, or the ICSV memory and the like described abovecomprise of typical memory architecture as all the other memory orstorage elements of PRISM. The implementation details of such memoryelements and storage are not illustrated so as not to obscure theinvention as may be appreciated by one with ordinary skill in the art.

There are many variations of implementing PRISM Search engine withinterval symbol as may be appreciated by one with ordinary skill in theart. Even though the above description of the interval symbol state andthe PRISM Search engine is illustrated to be implemented in a specificway, one with ordinary skill in the art may appreciate that there aremultiple ways to accomplish the interval symbol state representation andall such variations or mechanisms are considered to be within the scopeof this invention.

FIG. 9 illustrates a PRISM search compiler flow (full and incrementalrule distribution). The flow can be used for distributing search rulesor security rules when the full set of rules are defined or when anyupdates or modifications are made to the rule set and incrementalchanges to the rule set need to be communicated and configured in thePRISM search memory. The search memory may be used in distributedsecurity architecture within system nodes across a network which may bea LAN, WAN, MAN, SAN, wireless or wired LAN and the like. The rules likeapplication layer rules, network layer rules or storage network layerrules or any other content search rules may be created using manual orautomated means and provided as inputs to the search compiler flow in apredefined format. The rules may be created per each layer of a sevenlayer OSI networking stack or there may be other non OSI layer specificrules. The search compiler's rule parser, 904, parses the rules andconverts them into regular expression format if the rules are notalready in that form and need to be evaluated as regular expressionrules. The rules parser presents signature rules like anti-virussignature rules to PRISM signature compiler flow, 911 . . . . Then theregular expression rules are converted into FSA rules compiled to thenode capabilities of the node that has the PRISM content search memoryand signature rules compiled to PRISM signature search enginecapabilities described below and stored in the rules database. The rulesfrom the rule database are retrieved and distributed by the rulesdistribution engine to the appropriate node(s) with the PRISM searchmemory. The search or security rules may be distributed to the hostprocessor or a control processor or a host microprocessor or a networkprocessor or a master processor or a combination thereof as appropriatedepending on the node capability. The rules may be distributed using asecure link or insecure link using proprietary or standard protocols asappropriate per the specific node's capability over a network. Thenetwork may be a local area network (LAN), wide area network (WAN),internet, metro area network (MAN), wireless LAN, storage area network(SAN) or a system area network or another network type deployed or acombination thereof. The network may be Ethernet based, internetprotocol based or SONET based or other protocol based or a combinationthereof.

FIG. 10 illustrates PRISM FSA Compiler flow. The regular expressions forthe content search are presented to the PRISM FSA Compiler flow by therules parser, block 904. PRISM compiler flow may optionally beimplemented as a stand alone compiler as well and may read regularexpressions for the content search rules or security rules or the likegenerated by an IT manager or a user or another tool or a combination orthe like for compilation to PRISM. PRISM FSA compiler reads the regularexpressions, block 1002, from a storage device like a disk drive or afile server or memory or the like or directly from the output of anothertool or a combination and processes these regular expressions optionallyin the order specified. Since PRISM processes RE rules using independentFSAs, the REs are compiled individually, however it may be possible forthe PRISM FSA compiler to process more REs for one FSA when PRISMsupports multiple REs per FSA block. The PRISM compiler flow comprisesof one or more of the steps illustrated in the FIG. 10 and describedbelow which may be performed in the illustrated order or another orderto compile the rules for PRISM as may be appreciated by one withordinary skill in the art. PRISM compiler flow checks if all the regularexpressions have been processed or not, block 1003, and if anyexpressions are left, it goes through the path, 1004, otherwise itfollows the path, 1017. When a regular expression is read by the block,1005, it is parsed, block 1006, to understand various constructs of theregular expression. The PRISM compiler flow may at this stage indicatean error if there are any issues with the regular expression like anysyntax being invalid or the like. The error flow is not illustrated inthe figure but may optionally comprise of logging the regular expressionwith an error, informing the user or the application or the like of theerror, ignore the error and move on to the next regular expression, orstop the processing altogether or the like or a combination of theforegoing. However, if no errors are discovered, the regular expressionssyntax tree is constructed, block 1007, and various symbols of theregular expression are extracted, block 1008. The regular expressionsymbols are then marked, block 1009, to make each symbol unique as perthe requirement of the Berry-Sethi's FSA construction algorithm. Forexample a regular expression like (a|b)*cd(a|ef)* may be marked as(a₀|b₁)*c₂d₃(a₄|e₅f₆)* there by making each symbol of the regularexpression unique. This regular expression is now linear and isprocessed, block 1010, to find the determinants that extract whetherempty string is part of the language of the regular expression and itscomponents. The compiler flow may extract the first states that areentered from the start state of the regular expression, block 1011. Forthe above example the first states are: a₀, b₁, and c₂ which may all beentered on processing the first symbol from the start state. Then thePRISM FSA compiler flow may extract the follow states, block 1012 foreach of the states or symbols of the FSA. For the example above thefollowing may be the follow states per each state:

State a₀ Follow states: a₀, b₁, and c₂State b₁ Follow states: a₀, b₁, and c₂State c₂ Follow states: d₃State d₃ Follow states: a₄, or e₅State a₄ Follow states: a₄, or e₅State e₅ Follow states: f₆State f₆ Follow states: a₄, or e₅

The PRISM compiler flow then creates the state transition list perstate, 1013, from the follow states above which essentially form thestate transition list from each state. The PRISM compiler flow thenextracts terminal or accept states, 1014 of the regular expression. Forthe example expression above the accept states are: d₃, a₄, and f₆. Onceall the processing of the FSA states is done, the marked symbols areconverted back to their unmarked form and the appropriate PRISMprogrammable FSA data structures generated, block 1015 for example, SDVper state, FSA state symbols, symbol mask if any, initial or firststates, accept states as well as optional tag states if the regularexpression is tagged, a left biased or right-biased control if PRISMimplements such option, any associated action to be taken, the FSA IDthat will hold this RE and the like. If the regular expression needs touse more states than those supported in a single PSE, the compilerassigns the RE to multiple FSAs and couples them together usingrow-wise, column-wise, or rule group FSA extensions or a combinationthere of or may split the RE into multiple rules to fit the specificembodiment of PRISM, its characteristics and the like. Further, if theregular expression being represented has an interval symbol and thePRISM search engine with support for interval symbol is present, thecompiler sets up the appropriate memory values in the interval symbollogic, like the CSL, CSH, ICSV and the like to realize the regularexpression with interval symbol in PRISM using the methods describedabove. If the PRISM search engines with interval symbol do not exist,then the compiler may expand the interval symbol and then program theexpanded regular expression in appropriate PRISM search engine. Theinterval symbol programming in PRISM may also be coupled with the FSAextension mechanisms of PRISM described above. This RE in the PRISMcompiled form may either be kept in memory or storage or the like andonce all such REs are processed they may all be stored compiled rulesdatabase, block 1018. Each compiled RE may be deposited individually inthe database or all rules may be deposited once they are all processedor a combination. The compiled rules database may be an actual databaseor a file or a storage element or the like that records the compiledrules data that may then be programmed into an appropriate PRISM deviceby the rules distribution engine, 909, working with the PRISM controllerof the corresponding PRISM device.

FIG. 20 illustrates PRISM signature compiler flow. This flow may be usedfor compiling signatures of applications like anti-virus that have alarge number of signatures that are typically represented as a string of8-bit characters some of which may also comprise of regular expressions.Anti-virus signatures mostly comprise of strings of characters, however,there may be a portion of the signatures that also have regularexpressions. Such signatures that have regular expressions are processedby the PRISM FSA Compiler Flow illustrated in FIG. 10 described above.

The signature search on a large number of fixed signatures has beensuggested in literature using a technique called bloom filters. Bloomfilters compress a large number of fixed signatures (for clarity fixedsignatures mean signatures without regular expressions in this patent)using multiple (e.g. k, where k is an integer) uncorrelated hashfunctions applied on each signature and set a memory bit correspondingto each hash index generated by each hash function. When looking forcontent belonging to the set of signatures, the same hash functions areapplied to the content and hash indices generated. These hash indicesare used to extract the memory bit values at those locations. If eachmemory bit value is set, then there is a chance that the processedcontent stream may be part of the signatures being searched. Once, sucha determination is made an exact match function is applied on thecontent stream and the fully expanded signature or signatures associatedwith the bloom filter match to ascertain that the content beingprocessed indeed matches one of the signatures in the set of signatures.If all the bytes of the signature match the appropriate number of bytesof the content a signature match is flagged which may then be used totake appropriate actions associated with such a signature match. Forexample, in an anti-virus application, such a match indicates presenceof a virus and hence the content may be quarantined or removed orcleaned or if it is streaming content, the stream dropped or the likebased on the anti-virus policy.

PRISM uses bloom filters with modifications to support regularexpression signatures and variable length signatures to overcome some ofthe key limitations of bloom filters. When implementing signature searchrules in hardware using bloom filters for high performance, like frommulti-100 Mbps through 10 Gbps and higher, a number of bytes of contenthave to be processed simultaneously. For example, if operating frequencyof a hardware processor implementing bloom filter is 125 MHz, and itprocesses one byte per clock cycle, one search engine can process up to1 Gbps, and hence to process incoming stream of content at 10 Gbps, 10simultaneous search engines are required, where each search engine'ssearch is at one byte offset from the other. Thus if there are 10 searchengines, then the first search engine may process the stream at bytenumber 1, while fifth search engine may process the stream at bytenumber 5 and the like, with each search engine skipping 10 bytes fromone cycle to the next to achieve 10 Gbps. Multiple complexities arise insuch an implementation. First each search engine requires a dedicatedmemory with the bloom filter database to check membership of the contentbeing processed in the set of signatures. Second, typically thesignature rules are variable length, and hence each signature lengthneeds to be processed separately which causes additional search enginesand memories. For instance, anti-virus signatures may be from couple ofbytes to over a hundred bytes, with majority of them being over 12 to 15bytes. Since bloom filters, are essentially hash functions that have tooperate fast, a fixed number of content bytes are processed by each hashengine. Hence, the signature database is separated in same lengthsignature sets up to a certain length, for example from 2 bytes to 15bytes, and then all signatures longer than 15 bytes are truncated at 15bytes and placed in the same set. Then each signature set is processedby a set of hash functions to generate a bloom filter for each length ofsignature bytes. There are search engines implemented to process eachsignature length of bytes from the content. Thus if there are 14 sets ofsignature lengths, then 14 sets of search engines are implemented withtheir dedicated bloom filter database memory. As indicated above if theline rate to be processed is 10 Gbps, and each search engine onlyoperates at 1 Gbps, then for each set 10 search engines are required andfor all 14 sets a total of 140 search engines are required. Thus therequirement of the number of search engines can explode depending on thetype of the signatures.

One preferred embodiment of PRISM signature search engines avoid theexplosion in the number of search engines driven by the signature lengthsets by picking a number ‘N’ as the length of the signatures that getimplemented using the signature search engines. Any signatures that areless than ‘N’ bytes, get realized using the PRISM FSA Search Engines(PSE) described above. This may save significant integrated circuit chiparea and resources.

PRISM signature compiler flow illustrated in FIG. 20 reads signatures,2002 and processes them until all the signatures presented to it by therules parser are processed, 2003. It retrieves each signature, 2004, andchecks the length of the signature, 2005, by comparing it to a length‘N’ where ‘N’ is an integer. Typically for an anti-virus application ‘N’may be 12, 13, 14 or 15 or like. If the number of bytes in the signatureis less than ‘N’, then that signature is presented to PRISM FSA compilerflow, 2013, illustrated in FIG. 10, which treats the signature as asimple regular expression of character string and compiles it forevaluation by PRISM FSA search engines. However, if the length of thesignature is equal to or more than ‘N’, then ‘N’ bytes of the signatureare extracted, 2006, and k different hash functions are applied to thosebytes, 2007, which then generate k hash indices H1 through Hk, 2008.These hash indices are then used to create a compressed signaturedatabase table which gets implemented in PRISM as a memory array. Thecompressed signature database table entries (which translates toassociated memory locations of PRISM memory) corresponding to theindices are set to ‘1’, 2009. The width of the hash indices depends onthe number of the signatures in the rules. For one embodiment, if thenumber of signatures is 128,000, k may be 4, and the number of memorylocations or compressed signature database table entries may be 512,000.For another embodiment, for 128,000 signatures, k may be 4 and thenumber of memory locations or compressed signature database tableentries may be 1,024,000. There may be multiple signatures that mayresult in some of the Hash indices, H1 through Hk, to be the same. Also,different signatures may set the memory locations H1 through Hk to ‘1’which can cause a false positive when content search is being performed.During content search, k hash indices, H1 through Hk, are generated from‘N’ bytes of content using the same hash functions used to generate thecompressed signature database and then the values at the memorylocations H1 through Hk are looked up. If all the locations have a value‘1’, then that means the content is likely to contain a signature fromthe signature set used to generate the compressed signature database.However, due to the reasons outlined above, multiple differentsignatures could have set the memory locations H1 through Hk for thecontent being examined to ‘1’. To ensure that there indeed is a match,an exact match of the content has to be performed with the signaturesthat could set one of the index like H1 to a ‘1’, when all the memorylocations H1 through Hk return a value ‘1’, To perform this exact match,each signature is also stored with all its bytes in a PRISM memory or anexternal memory coupled to PRISM. Each signature is associated with oneindex location where for example hash index H1 computed for eachsignature can always be used as a memory address or index to store thecorresponding signature. However, since multiple signatures can map tothe same hash index, those signatures are used in PRISM to form adeterministic Finite State Automaton (DFA) or an Aho-Corasick (AC)Finite State Automaton or the like to perform exact match. Thus, when amatch is found through the compressed signature database lookup usinghash indices, one of the hash index, for example H1, is used as areference to point to the root of the automaton in an internal orexternal memory location where the DFA or Aho-Corasick (AC) FSA for allsignatures that map to this hash index are stored. Then content bytesare used to traverse the DFA or AC FSA or the like to see if there is amatch with one of the signatures that also generate H1 as a hash indexvalue. If an exact match comparison finds a match, the content isdeclared to have matched a specific signature otherwise there is nomatch or the compressed signature database match is referred to as afalse match. Such compressed organization of signatures may producefalse positives but never generates false negatives i.e. if the contentindeed contains a pattern that matches one of the signatures, it willalways be flagged as a match during the compressed signature databaselookup as well as during exact match evaluation and will never bemissed, however, anytime a match is found from the compressed signaturedatabase does not always mean that an exact match will be found. Thus tofacilitate the exact match operation the signature search compiler flowgenerates a DFA or an AC FSA or the like and sets up a pointer to thatat a location in internal or external memory associated with index H1 orHn used for performing exact match as illustrated in 2011. One preferredembodiment may use DFAs for storing exact match signatures. Anotherpreferred embodiment may use AC FSA for storing exact match signatures.Other ways of storing and retrieving exact match signatures are allwithin the scope and spirit of the teachings of this patent as may beappreciated by one with ordinary skill in the art. A signature databaseentry for each signature with its compressed database and the exactmatch database (comprised of DFA or AC FSA or the like) is thengenerated as illustrated in 2012. Once all the signatures have beenprocessed, a complete signature database comprising the compressedsignature database as well as the exact match DFA or AC FSA or the likeis generated, block 2014, which is then used by the rules distributionengine, 909, to program it in PRISM nodes that support signaturesearches.

The width of the hash indices generated depends on the size of thecompressed signature database. In one preferred embodiment, there may beat least k times the total number of signatures, where k is the numberof hash functions and is an integer, as the database size to provideadequate dispersion of hash results from various signatures.

FIG. 21 illustrates PRISM Signature search flow. When PRISM is used toexamine content against signatures programmed in its signature searchengines, 722, the content search follows a flow similar to thatillustrated in FIG. 21, however, several steps illustrated may beoptionally performed simultaneously for optimizing the performance ofthe hardware solution. The PRISM signature search engines receive orread, 2102, the content or packet or the like to be examined from thePRISM controller, 703 and examine each byte of the content or the packetagainst the compressed signature database to find a match in thecontent. Each byte of the content is presented to the PRISM FSAs, 2105,which have regular expression rules programmed as well as optionallyportions of the signature database programmed as described above. If thePRISM FSAs with signatures programmed in them indicate a match, 2106,then a signature match is flagged, 2115, which is an exact match thatindicates the presence of one of the signatures in the content. Anaction associated with the matching signature, which may be programmedas a policy associated with the signature rules, is taken, 2116. Theaction may be to drop the packet, stop examining the content, flag thelocation of the match to the PRISM controller and/or a master processor,drop the entire session, or the like. PRISM may take the action or mayjust alert a master processor about the matched signature and associatedaction, and the master processor may take the appropriate action. Once apacket is fully processed or a match is found, PRISM signature searchengine may retrieve another packet or flow or content to process fromthe PRISM controller. When ‘N’ bytes of content have been received bythe PRISM signature search engines, 2107, k hash functions used togenerate the compressed signature database are applied to the contentand k hash indices generated, 2108 and 2109. A memory holding thecompressed signature database in the signature search engines is thenlooked up with hash indices as addresses, 2110. If the values atlocations H1 through Hk are all ‘1’, 2111, then an initial match orcoarse match is found and the content needs to be further examined toverify if an exact match with one of the signatures is found. A pointerto the content is assigned, 2112, to an exact match controller, 2309,described below with H1 or Hn as the index to DFA or AC FSA or the likethat hold the signatures for that hash index. The exact matchcontroller, 2309, performs an AC or DFA table walk (i.e traverse theFSAs) by examining each of the ‘N’ content bytes and more if necessaryuntil a match is found or the table reaches a leaf node indicating nomatch, 2113. If there is no match, 2114, first byte of the content isshifted out or discarded, 2118, and a new byte ‘N+1’ is retrieved andduring the next iteration through the loop, ‘N’ bytes starting thesecond byte in the content are used to determine a match. If an exactmatch is found during the AC or DFA table walk, 2113 and 2114, then asignature match is flagged, 2115, and appropriate action taken asdescribed above. Thus the PRISM signature search flow can examine thecontent for signature presence starting at each byte location of thecontent until a match is found or the content is exhausted.

FIG. 22 illustrates PRISM Signature search engine for variable lengthsignatures. As discussed above, applications like anti-virus have alarge number of signatures whose lengths vary from a few bytes to over100 bytes. To perform a high speed, from 100 Mbps to 10 Gbps or higher,virus signature lookup in network traffic or other content, hardwareimplementation is used in PRISM signature search engine to examinecontent against compressed signature database described above. In oneembodiment all signatures other than regular expression based signaturesare evaluated by PRISM signature search engines. Since there can bevariable signature lengths, compressed signature database for a set ofsignature lengths are created, where the signatures may be separatedinto signature of lengths ‘X” bytes through ‘Y’ bytes. Any signaturesthat are larger than ‘Y’ bytes are truncated to ‘Y’ bytes and includedin the signature set with ‘Y’ bytes for generating the compressedsignature database. However for the exact match step, the signatureswith more than ‘Y’ bytes, retain their full length to ensure that thecontent hash that maps to the compressed signature database and is foundto match indeed has the full signature match. Thus, to support variablelength signatures, PRISM signature search engines may optionallycomprise of byte length specific signature search engines, 2203(1)through 2203(M), which handle X-byte signatures through Y-bytesignatures where Y-X is M, and X and Y are any integers. For oneembodiment X may be 2 and Y may be 13. As illustrated each byte-lengthspecific signature search engine may comprise a buffer like, 2204(1)through 2204(M) which collect appropriate number of bytes to be searchedfrom the input stream presented to the signature search controller,2201, by the PRISM controller, 703, on the interface, 715. The signaturesearch controller, 2201, controls the flow of the content to be examinedthrough the byte-length specific signature search engines. It also isused to setup all byte length specific search engines with thecompressed signature database values in the byte-length specificsignature hash memory, like 2206(1) through 2206(M). The signaturesearch controller also is coupled to exact match controller, 2209, whichis used to perform an exact match on signatures where the compressedsignature match is flagged to be valid. The signature search controllermay be used to communicate the results of the signature search to thePRISM controller, 703, and/or a master controller as any exact matchesare found. It may also be programmed with policies that may indicatewhat action should be taken when a signature match is found. Forexample, if a signature match is found the policies may indicate whetherthe packet or the content or the flow or the like be stopped fromfurther examination or dropped or the like or should the examinationcontinue and report all matches in the content or the like. The Figureillustrates that the signature search engine presents one stream ofcontent in buffers, 2202, from which specific number of bytes arecoupled to the byte length specific signature search engines. In sucharchitecture the performance of the signature search is limited to therate at which a single byte is processed. Hence if the signature searchengines operate at 125 MHz, then the line rate of search supported is 1Gbps (125 MHz times 8-bits/clock cycle). To achieve a 10 Gbps linespeed, either the operating frequency of the integrated circuit orhardware has to be increased by a factor of 10 or multiple bytes have tobe examined in parallel or multiple bytes have to be examined and theoperating frequency has to be raised or the like. The signature searchcontroller is capable of supporting all of the above needs toaccommodate the increase in search performance. For multiplesimultaneous bytes being searched, all blocks other than the signaturesearch controller may be replicated and coupled to the signature searchengine. It is also possible to replicate the signature search engine andhave the PRISM controller, 703, provide the proper scheduling of contentor packets to each of the replicated signature search engines as may beappreciated by one with ordinary skill in the art.

Byte length specific signature search engine 2203(1) retrieves X-bytesof content being examined and then generates k hash indices using k hashengines that use X-bytes, 2205 (1,1) through 2205(1,k). The hash engineseach perform a different hash function on the retrieved X-bytes. Thehash functions being used are the same as those used on the signaturerules to create the compressed signature database. The output index ofeach hash engine, is then used to lookup the compressed signaturedatabase setup in the Signature Hash Memory for X-byte lengthsignatures, 2206(1). Since there are k hash functions, k separate memoryports are used to simultaneously access the memory values at each of thehash index, H1 through Hk, for a high speed implementation. For a lowerperformance solution, k memory look-ups through a single memory port mayoptionally be used. The signature hash memory, 2206(1) through 2206(M),may be multi-ported with k ports or signature hash memory block may bereplicated such that each of the hash index location is readsimultaneously. The outputs of the signature hash memory correspondingto the hash indices are coupled to match logic, 2207(1). If all outputsof match logic are set, a coarse level match is generated by the matchlogic, which indicates that there is a good probability that a signaturematch has occurred. However, since hashing is a many to one function, itis possible that the coarse match may not mean an actual match existswith all bytes of a signature, and to ascertain the match an exact matchneeds to be performed. To enable an exact match operation the searchengine creates a coarse match descriptor which comprises of informationlike the flow ID or content ID or packet ID or the like, the byte offsetwhere the coarse match was flagged, one hash index that was generatedfor the coarse match, and the like. It puts the coarse match descriptorin an exact match queue, 2208(1), from which the exact match controller,2209, retrieves it and performs an exact match. The exact matchcontroller, 2209, retrieves the coarse match descriptors from the exactmatch queues like 2208(1) through 2208 (M) in an order like round-robinor smallest length signature search engine to higher length searchengine or the like. As described above, full signatures are processed bythe signature search compiler flow to create an exact match datastructure or data base in memory using either a DFA or Aho-Corasick FSAor the like algorithm which can then be traversed or walked using asequence of characters from the input content. All signatures that mapto a specific hash index are all used to generate an exact match datastructure for that hash index. Thus every hash index which has anysignatures that map to it has an exact match data structure associatedwith it which may either provide the root node of the FSA or the like orcan provide a pointer to the root node which may then be used totraverse the FSA based on the sequence of the input content where acoarse match is found. The exact match controller, 2209, implements anexact match logic which enables the traversal of exact match datastructure stored in memory coupled to the exact match controller throughthe memory interface, 2210. The exact match controller may startretrieving the packet bytes from the signature search controller, 2209,starting at an address from the packet information retrieved from thecoarse match descriptor. Then each byte of the content is used to walkthrough the exact match data structure by retrieving the root node ofthe FSA of the signatures stored at the hash index used as an offset into the memory table storing the exact match signatures. The exact matchdata structure walk progresses one or more bytes per clock cycle,retrieving the next state of the FSA based on the currently receivedinput byte or bytes. Once a leaf node is reached it indicates thecompletion of the search and if the leaf node is not an empty node, itindicates that the signature is completely matched and an exact match isflagged. However, if the leaf node is an empty node, then it means thatthe content stream at the flagged location does not meet any of theexact match signatures. If an exact match is detected by the exact matchcontroller, it may communicate this to the signature search controller,2201, and the PRISM controller, 703, which may then take an appropriateaction as described by the policy associated with the matched signature.The exact match controller walks through the exact match queues of eachof the byte-length specific signature search engines to ensure that ifmore than one coarse match is found from a byte location of the content,all such matches are processed. However, if one of the coarse matchresults in an exact match, the other match requests for that content mayor may not be performed as per the policy programmed in the signaturesearch controller for the application like anti-virus.

One issue with architecture like the one illustrated in FIG. 22 is thatthere is a need to have multiple byte-length specific signature searchengines to process all the variable size signatures which can result inan inefficient utilization of the hardware resources. Further, when theline rate of the signature search engine needs to be increased byreplication, all byte-length specific engines also have to be replicatedas many times as the multiple in the line rate performance improvement.Additionally, when developing a hardware solution that can be used for avariety of applications whose signatures may change over a period oftime, it is difficult to estimate how large the byte-length specificsignature hash memory, 2206(1) through 2206(M), should be to accommodateall applications that can use the signature search engines.

FIG. 23 illustrates PRISM Signature Search Engine using PRISM FSA forvariable length signatures. As discussed above, applications likeanti-virus have variable length signatures and for examining contentagainst those signatures multiple byte-length specific signature searchengines are needed which can result in inefficient hardware resourceutilization and implementation. Since PRISM enables support of a largenumber of FSAs in a single chip, it is possible to assign signaturesless than ‘N’ bytes, where N is an integer, to the FSAs along withsignatures that comprise regular expressions for evaluation in parallelto the signature search engines. All signatures that are equal to orgreater than ‘N’ bytes in length are treated in a single set ofsignatures, where all of the signatures are truncated to ‘N’ bytes forcreating a compressed signature database for coarse matching and fullsignatures are retained as described above for exact matching. Bypartitioning the signatures in this manner and leveraging the largenumber of FSA resources that are enabled by PRISM for smaller lengthsignatures, only a single signature search engine for ‘N’ byte length isrequired to perform the coarse match generation as illustrated in FIG.23. In such an architecture ‘N’ bytes from the content are retrieved andused to generate k hash indices as described above and used to find thecompressed signatures. If the compressed signatures retrieved from theN-byte signature hash memory, 2306, are all set as detected by the matchlogic, 2307, a exact match descriptor like the one described above forillustration in FIG. 22 is entered in the exact match queue, 2308. Theexact match controller, 2309, provides the functionality similar to theexact match controller, 2209, described above except that the exactmatch controller, 2309, needs to operate on a single exact match queueunlike the exact match controller for illustration in FIG. 22. When ahigher line rate search performance is required, the ‘N’ byte lengthsignature search engine can be replicated and the exact match controllermodified to operate on multiple exact match queues as necessary toachieve the desired speed up as may be appreciated by one with ordinaryskill in the art. Thus a significant amount of hardware resources can besaved by this invention compared to the illustration in FIG. 22.

FIG. 24 illustrates PRISM integrated in a DRAM. This figure illustratesfew key blocks of modern SDRAMs such as DDR2, DDR3 and the like. Thefigure illustrates multiple banks of DRAM arrays in blocks 2401, 2410and 2411. Each DRAM bank comprises of similar blocks for decoding row ofthe memory location in the DRAM bank array, block 2402, accessed usingthe row address decode block, 2403, and a column address decoded usingcolumn address decode block, 2405. The memory location read from thememory bank array is sensed by a sense amplifier, block 2406, and theout put from the memory banks are provided to the Data mask and I/Ologic, block 2407. The dram banks also include a referesh logic block,2404, to periodically refresh the dram memory locations from losingtheir stored data.

The figure illustrates PRISM memory, 2409, with its controller, 2408,integrated with the standard DRAM to perform regular expression andsignature searches within the dram integrated circuit. The PRISM arraysare programmed to perform the regular expression search and signaturesearches by a driver software running on a processor or a dramcontroller hardware in the system that incorporates this PRISM enabledsecure DRAM. PRISM regular expression rules data base may be programmedin multiple ways. One way is to map PRISM configuration registers asmemory mapped I/O which would allow the software driver or the dramcontroller to program PRISM with the regular expression and signaturedata base to perform security search on data which may be received fromthe network that the system that embeds this secured DRAM is connectedto or could be data content that may be generated on the system or maybe data at-rest on storage systems attached to such a network. PRISM mayalso be programmed by using DRAM mode register sets. Specific, unusedbits in the mode registers for a particular dram family such as DDR2 orDDR2 or the like may be mapped to programming PRISM. There can be otherways to program PRISM embedded in a DRAM as will be obvious to one withordinary skill in the art.

Once the PRISM memory has been programmed, it may be commanded by thesoftware driver or dram controller or the like to start examining datacontent. The data content to be examined would be set in the DRAM bankor banks and the appropriate address location of the data start and theamount of data may be provided to PRISM. PRISM can then examine the datacontent by accessing this data from within the DRAM and provide theresults of the examination in result location set by the driver or thecontroller. The driver or the controller may retrieve the results at itsconvenience and take actions based on the search results found by PRISM.

The benefit of integrating PRISM in a DRAM is that processor(s) of thesystem using such solution is free to perform useful work without havingto spend precious CPU cycles on security threat evaluation. Further,since DRAMs are a common element in most systems, a unified securitythreat solution can be created using PRISM enabled secure DRAMs.

FIG. 25 illustrates PRISM integrated in a DRAM in second configuration.In this configuration the PRISM is integrated within each bank of theDRAM as illustrated by blocks 2501, 2502 and 2503. These PRISM blocksmay optionally be coupled to each other through an interface illustratedin block 2504. The interface between distributed PRISM blocks, 2501,2502 and 2503 may be used to communicate information pertaining toconfiguration, search results, content to be searched and the like.

The advantage of distributing PRISM blocks as illustrated is that eachPRISM block could be analyzing data content stored within the bankssimultaneously. This may be used to improve the performance of thecontent search using PRISM. This may also be used where differentapplications may be programmed to different PRISM blocks and each blockmay perform content search programmed in that PRISM block. Theprogramming of PRISM is similar to that described above. The softwaredriver or the controller as the flexbility to utilize the distributedPRISM in a manner suited to the needs of the system and the applicationsrunning on such system as will be appreciated by one with ordinary skillin the art.

FIG. 26 illustrates PRISM and cryptographic processing integrated in aDRAM. Cryptography is an important aspect of security applications. Thisfigure illustrates cryptography processing integrated along with PRISMcontent search within a DRAM. The cryptography processing engine, 2602,may provide encryption and decryption capabilities for standardalogorithms such as AES, SHA, MD5, RSA, and the like. The crytographyprocessing engine may be programmed and controlled using a controller,2601. The cryptography engine may also be programmed by a softwaredriver or a dram controller using mechanisms similar to those describedabove for programming PRSIM embedded in DRAM for example as memorymapped I/O or mode register sets or the like. The cryptographycontroller may also provide capability to generate random numbers usinga random number generator that can be used to create cyrptography keysused in the cryptography algorithms implemented by the cryptographyengine. Cryptography processing engines may perform their tasks undercommand of the software driver or the hardware controller as appropriateon specific data residing on the DRAMs as indicated by the driver or thecontroller. The results may be exchanged with the driver or thecontroller by putting the results of the crypto operations in addresslocations indicated by the driver or the controller.

FIG. 27 illustrates a regular expression engine integrated in a DRAM.The figure illustrates a regular expression engine, 2701, to performcontent search. This regular expression engine may be a NFA or a DFA orcomposite DFA engine that performs content search of regular expressionrules programmed within it or in regular expression state tables thatmay be set up in the DRAM banks. This engine may be programmed andcontrolled to perform content search operations on data on the dramusing mechanisms similar to those described above for PRISM embedded inthe DRAM.

The PRISM memory of this invention may be manufactured into hardwareproducts in the chosen embodiment of various possible embodiments usinga manufacturing process, without limitation, broadly outlined below. ThePRISM memory in its chosen embodiment may be designed and verified atvarious levels of chip design abstractions like RTL level,circuit/schematic/gate level, layout level etc. for functionality,timing and other design and manufacturability constraints for specifictarget manufacturing process technology. The design would be verified atvarious design abstraction levels before manufacturing and may beverified in a manufactured form before being shipped. The PRISM memorydesign with other supporting circuitry of the chosen embodiment at theappropriate physical/layout level may be used to create mask sets to beused for manufacturing the chip in the target process technology. Themask sets are then used to build the PRISM memory based chip through thesteps used for the selected process technology. The PRISM memory basedchip then may go through testing/packaging process as appropriate toassure the quality of the manufactured product.

Thus the inventions of this patent cover various aspects like:

A memory architecture comprising programmable intelligent search memory(PRISM) for content search wherein the PRISM memory provides searchcapability for regular expression based search and a regular expressionsare compiled into a format recognized by PRISM and that follows thePRISM FSA algorithm.

The regular expression compiler comprises of one or more of thefollowing steps in no specific order:

-   -   1. Read mechanism to read regular expressions and a read process        to do the same    -   2. Parse mechanism to parse RE and a parse process to do the        same    -   3. Syntax tree generation mechanism to generate syntax tree and        a syntax tree generation process to do the same    -   4. RE error handling mechanism to handle RE errors and a process        to handle RE errors    -   5. RE symbol extraction mechanism to extract RE symbols and an        RE symbol extraction process to do the same    -   6. RE marking mechanism to mark RE symbols with unique integers        and a RE marking process to do the same    -   7. A FSA linearization mechanism to create a linear FSA and        create its determinants to extract presence or absence of empty        string in the language defined by the RE and a process to do FSA        linearization    -   8. A mechanism to find and extract first states of the linear        FSA and a process for first state identification and extraction    -   9. A mechanism to find and extract follow states of the        linearized FSA and a process for follow state identification and        extraction    -   10. A mechanism to find and extract the state transition list        per state and a process for state transition list identification        and extraction    -   11. A mechanism to find and extract the accept or terminal        states and a process for accept or terminal states        identification and extraction    -   12. Create PRISM programmable FSA data programmable database        structure for the RE comprises one or more of SDV, state        symbols, LB/RB, Accept state, Initial States or Initial vector,        tag states, FSA ID, GSDV, GCV, RCV, ESV, LUV, UV, FV, DC, UC,        LV, CSL, CSH, Interval Symbol mode, ISCV or a combination of the        foregoing    -   13. A mechanism to generate the Compiled RE expressions rules        data base comprising the PRISM programmable FSA data structures        and a method for the compiled RE rules data base generation.    -   14. A mechanism to provide the compiled rules data base to a        rules distribution engine or other agent to program these rules        in the target PRISM device and a method to do the same    -   15. A mechanism to generate a programmable FSA rule ID for        programming the linear FSA in one specific memory location of        PRISM memory locations that are randomly accessible to access,        store or program the programmable FSA rule memory circuits    -   16. A mechanism to generate specific actions that need to be        taken when a particular regular expression programmed in the        PRISM FSA rule blocks is matched or    -   17. a combination of the foregoing.

The PRISM memory comprises of FSA extension architecture and mechanismsto enable programming of regular expressions that are larger than thebasic PSE FSA search states. The FSA extension architecture mayoptionally comprise of Row-wise FSA extension mechanisms or column-wiseFSA extension mechanisms or FSA rule groups extensions or a combinationthereof to support large regular expressions and optionally to supportgroups of regular expressions that can be used to enable execution ofother groups of regular expressions when a certain event in the firstrule group is activated.

The PRISM memory Rule group FSA extension architecture may comprise ofExternal state vectors, and may optionally comprising of rule groupcontrol vectors. The ESVs and RCVs may optionally be addressed as memorylocations that may be programmed by the PRISM controller, or an externalmaster processor or the cluster evaluation processor or a globalevaluation processor or a combination to enable transitions into and outof rule groups in PRISM.

The Column-wise FSA architecture may further comprise of Forwardingvector-up or down, local forwarding vectors-up or down, up controlvector, down control vector, or a combination there of.

The row-wise FSA architecture may further comprise of global statedependent vectors, global control vectors, global state transitioncontrols, global control network or a combination.

The PRISM control vectors like GSDV, GCV, FV, LV, LUV, UV, DC, UC, RCV,or the like may be implemented as memory locations accessed for fromprogramming from the PRISM address decode and control logic or PRISMcluster address decode and FSA controller or PRISM controller or acombination there of.

PRISM memory architecture that enables replicating states of an FSA thatmay enable proper FSA extensions of REs using FSA extension architectureand mechanisms described above.

The PRISM memory comprises of architecture and mechanisms to enableprogramming of regular expressions that comprise interval symbols like‘a[x.y]’ and the like. The PRISM search engine with interval symbolcomprises of at least one interval counter block that is used to count anumber of times an event or a symbol or the like has been received. ThePRISM search engine with interval symbol further comprises at least onecount low evaluation memory which is used to program the interval symbollow limit and is used to compare the interval counter value with thatprogrammed in the count low evaluation memory. The PRISM search enginewith interval symbol further comprises at least one count highevaluation memory which is used to program the interval symbol highlimit and is used to compare the interval counter value with thatprogrammed in the count high evaluation memory. The PRISM search enginewith interval symbol further comprises at least one interval symbolcontrol vector memory to hold the interval symbol state dependenttransition control vector bits that enable the transition from aninterval symbol state to other ISCV enabled states of the PRISM FSA.

The PRISM memory with interval symbol memory compiler may furthercomprise of programming interval symbol state parameters like the statesymbol, the state low count limit, the state high count limit, theinterval symbol type or the mode or a combination of the foregoing toenable programming of regular expressions with interval symbols into oneor more PRISM search engines. If the regular expression being compiledby the compiler needs more interval symbol states than those provided bya PRISM search engine, the compiler may also use FSA row-wise orcolumn-wise or a combination FSA extension architecture mechanisms asdescribed above.

The PRISM memory further comprises an array of search memory circuitsthat provide the regular expression search functions for searchingcontent from documents, messages or packets or other data received fromthe network or the local host or a master processor or a networkprocessor or TCP Offload Engine or Processor or Storage Networkprocessor or a security processor or other processor or a combinationthereof.

The PRISM memory further comprises of a plurality of clusters of thesearch memory circuits that provide regular expression search functionsfor a plurality of regular expressions. The search memory circuitscomprise of memory elements to store symbols of finite state automatarepresenting the regular expressions. The search memory circuits furthercomprise memory elements to store mask vectors (MV) that may be appliedto the stored symbols. The mask vectors are coupled to the symbol memoryelements and the content being searched through symbol evaluationcircuits that detect whether the received content comprises of thesymbols being searched. The search memory circuits further comprise ofmemory elements to store elements of state dependent vectors (SDV) whichare used to decide the state traversal by the search memory for thefinite state automata. The search memory circuits further comprise ofmatch detect circuits that operate by coupling with the memory elementsfor symbols, MVs, SDVs, and the symbol evaluation circuits for multiplestates of the FSAs to decide on the traversal of the states in the FSAbased on the content being searched and the programmed symbols, SDVs,and MVs. The search memory circuits may further comprise tag and matchdetect circuits that operate to provide tagged FSA and regularexpression search, wherein the tagged FSA is used to detect sub-stringor partial regular expression match beside a full regular expressionmatch.

The memory elements of the PRISM memory comprise of static memory cells.The memory elements are each independently addressable in a randomorder. The PRISM memory further comprises of circuits to couple thecontent search memory with other logic to provide coupling withprocessors that can interface to the PRISM memory integrated circuits.The PRISM memory further comprises of a controller for interfacing withthe processors to receive the content to be searched. The PRISM memorymay further comprise of address decode logic circuits which decode thereceived address to select the specific static memory cells location tobe read or written. The memory elements of the search memory may each beuniquely addressed to read or write appropriate values in the memoryelements. The address decoding logic and the controller generate controlsignals necessary to address the appropriate memory locations of thestatic memory cells based search memory. The control signals are coupledto the PRISM arrays as a series of word lines and bit lines that canrandomly be used to access desired memory locations.

The memory elements of PRISM support detection of character patternstrings. The PRISM memory comprises of symbol detection circuits and mayoptionally comprise of mask vectors per symbol bits, that may be used toevaluate received character string using simple XOR based compare orother logic function and create a match indication. The PRISM matchsignal processing circuits may logically combine multiple match signalsfrom each symbol detection block to generate a composite match signalwhich would be activated only if all the symbols have a match. Thecomposite match signal creates a match functionality like a traditionalCAM chip and thus enable PRISM chip to be partially or fully configuredto behave like a CAM provide a pattern matching functionality besideregular expression search.

The PRISM memory further comprises of signature search engines forsearching content against a large set of signatures like those foranti-virus. The PRISM signature search engines are coupled to the PRISMregular expression search engines to support applications that havefixed character signatures as well as regular expression signatures. Thesaid PRISM search engines further comprise of fixed length signaturerecognition hardware. The fixed length signature search engines maycomprise of a content buffer for content to be examined. It may furthercomprise of ‘k’ hash generators to generate ‘k’ hash indices to be usedas memory addresses to retrieve the compressed signatures from a hashsignature memory. The PRISM search engine may further comprise of a hashsignature memory to store and retrieve a compressed signature databasegenerated by applying ‘k’ different hash functions to the saidsignatures. The PRISM signature search engines further comprise of exactmatch queues to store exact match descriptors used by an exact matchcontroller to perform an exact match on a data structure associated withthe hash index of the coarse match. The said exact match descriptors maycomprise of the packet identification, or flow ID or content ID or thelike. The exact match descriptor may further comprise of the byte offsetwhere the coarse match is detected. The said exact match descriptor mayfurther comprise of the number of bytes used to generate the coarsematch.

A PRISM signature compiler used for processing the signatures generatesa compressed signature database and optionally a full signature databaseused for coarse match and exact match respectively. The full signaturedatabase comprises of a data structures for all signatures and whenmultiple signatures whose hash value maps to the same hash index, thesignature database for that hash index uses all signatures that map tothat location to create the said data structure. The said data structuremay be realized as a FSA like a DFA or AC FSA or the like. The PRISMmemory further comprises of an exact match controller to perform exactmatch of content with signatures when a coarse match is flagged. ThePRISM signature search engines may further comprise of policies to takeactions when an exact match is detected. The policies may be programmedby a PRISM controller or a master controller coupled to PRISM.

While the foregoing has been with reference to particular embodiments ofthe invention, it will be appreciated by those with ordinary skill inthe art that changes in these embodiments may be made without departingfrom the principles and spirit of the invention.

What is claimed is:
 1. A system comprising a processor, a dramcontroller and a Dynamic Random Access Memory (DRAM) comprising aProgrammable Intelligent Search Memory (PRISM) for regular expressionsearch using non-deterministic finite state automaton and furthercomprising a cryptography processing engine for performing encryptionand decryption, said PRISM and cryptography processing engines creatinga secure DRAM for use in the said system.
 2. The system of claim 1,further comprising a software program running on the processor toprogram the PRISM with regular expression rules.
 3. The system of claim2, further comprising means to program the PRISM as a memory mapped I/O.4. The system of claim 2, coupled to a network to receive data to beexamined using the regular expression rules programmed in the PRISM. 5.The system of claim 4, coupled to a storage system that provides dataat-rest to be examined using the regular expression rules programmed inthe PRISM.
 6. The system of claim 2, wherein the software programfurther comprises means to command the PRISM to examine the data contentstored in the DRAM.
 7. The system of claim 2, wherein the softwareprogram further comprises means to configure the programmableintelligent search memory to provide the results of the examination in aresult memory location configured by the software program.
 8. The systemof claim 2, wherein the software program further comprises means toprogram the cryptography processing engines to perform encryption ordecryption.
 9. The system of claim 1, further comprising a random numbergenerator for creating cryptography keys used by the cryptographyprocessing engines.
 10. The system of claim 1, wherein the PRISM isdistributed per bank of the DRAM.
 11. A system comprising a processor, adram controller and a Dynamic Random Access Memory (DRAM) comprising aProgrammable Intelligent Search Memory (PRISM) for regular expressionsearch using non-deterministic finite state automaton.
 12. The system ofclaim 11, further comprising a software program running on the processorto program the PRISM with regular expression rules.
 13. The system ofclaim 12, further comprising means to program the PRISM as a memorymapped I/O.
 14. The system of claim 12, coupled to a network to receivedata to be examined using the regular expression rules programmed in thePRISM.
 15. The system of claim 14, coupled to a storage system thatprovides data at-rest to be examined using the regular expression rulesprogrammed in the PRISM.
 16. The system of claim 12, wherein thesoftware program further comprises means to command the PRISM to examinethe data content stored in the DRAM.
 17. The system of claim 12, whereinthe software program further comprises means to configure the PRISM toprovide the results of the examination in a result memory locationconfigured by the software program.
 18. The system of claim 11, whereinthe PRISM is distributed per bank of the DRAM.
 19. A Dynamic RandomAccess Memory (DRAM) comprising a Programmable Intelligent Search Memory(PRISM) for regular expression search using non-deterministic finitestate automaton distributed per bank of the DRAM.
 20. The DRAM of claim3, further comprising a cryptography processing engine for performingencryption and decryption, said PRISM and cryptography processingengines creating a secure DRAM.